BlueLiv

Integration version: 8.0

Integration guide

The integration purpose is to ingest the threats from BlueLiv, using the relevant filters to only show the desired threats within Google Security Operations SOAR, using the Threats Connector, and then have additional actions performed on those threats according to the relevant use cases.

In this quick guide we will go through a few things to make the usage of the integration easier for Google Security Operations SOAR customers.

Integration configuration

We will go over the parameters and where to find those so it will be easier for you to configure the integration:

  • API Root - this is the URL you are using in order to view the BlueLiv homepage, when the suffix /api/v2 added to it. For example: https://tcdach.blueliv.com/api/v2 should be the value on this parameter.
  • User name - same user name you use to connect to the BlueLiv homepage.
  • Password - same password you use to connect to the BlueLiv homepage.
  • Organization ID - you can easily spot the organization ID on the URL you are using in order to browse the product itself, so for example:

    For this example, here the organization ID is 117:

    https://tcdach.blueliv.com/dashboard/organizations/117/indexed

After going through the integration parameters, we can deep dive to the other terms in our integration.

Module Types

BlueLiv have divided the threats section to module types, and on this integration we use those types to help the SOAR platform and ingest only the relevant information if you want to filter by module type. The following module types are currently available in BlueLiv:

  • Credentials
  • Social Media
  • Credit Cards
  • Domain Protection
  • Malware
  • Data Leakage
  • Hacktivism
  • Dark Web
  • Custom
  • Media Tracker
  • Mobile Apps

Threat ID and Module ID

https://tcdach.blueliv.com/dashboard/organizations/117/modules/1303/resource/31024379

Every threat you can find in BlueLiv has a UID, a number that represents it. This one can also be easily spotted in the URL. A threat is also called a resource. For example, here the threat UID is 31024379.

Also, for every module that you have on BlueLiv you have a UID, a number that represents it. For example, here the threat UID is 1303.

Recommendation regarding configuration

Blueliv only allows one open session a time. It is recommended to use different users for integration configuration and connectors for stability purposes. Note: each connector would need a separate user.

Use Cases

  1. Proactive cyber threat monitoring
  2. Brand Protection
  3. Data Breach Protection
  4. Fraud Prevention
  5. Counterfeit Detection

Configure BlueLiv integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
API Root String

https://example
.blueliv.com/api/v2

Yes API Root of the BlueLiv instance.
User Name String N/A Yes User Name of BlueLiv.
Password Password N/A Yes Password of the user
Organization ID String N/A Yes Specify the Organization ID to use in BlueLiv
Verify SSL Checkbox Unchecked Yes If enabled, verifies that the SSL certificate for the connection to the IronScales server is valid.

Actions

Ping

Description

Test connectivity to BlueLiv with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

The action doesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If both API calls were successful: "Successfully connected to the BlueLiv server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If only first call was ok and second one didn't work: "Successfully logged in with the user name and password, but seems like the Organization ID is not correct. Please check the Organization ID parameter in the Integration Configuration page and try again "

if not successful: "Failed to connect to the BlueLiv! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Enrich entities using information from Threat Context module of Blueliv. Supported entities: IP, Hash, URL, Threat Actor, Threat Campaign, Threat Signature, Domain, CVE.

Parameters

Name Default Value Is Mandatory Description
Lowest Score To Mark as Suspicious 5 Yes Specify what should be the lowest score for the entity to be marked as suspicious. Maximum: 10.
Create Insight True No If enabled, action will create insights containing information about entities.

Run On

This action runs on the following entities:

  • IP Address
  • Hash
  • URL
  • Threat Actor
  • Threat Campaign
  • Threat Signature
  • CVE
Action Results
Script Result
Script Result Name Value Options Example
success True/False success:False
Case Wall
Case Success Fail Message
If enriched some entities true false Successfully enriched the following entities using information from Blueliv: {entity.identifier}
If not enriched some true false Action wasn't able to enrich the following entities using information from Blueliv: {entity.identifier}
if not enriched all false false No entities were enriched using information from Blueliv.
Fatal error, invalid creds, API root false true Error executing action "Enrich Entities". Reason: {error traceback}
If "Threat Context" module is not available false True Error executing action "Enrich Entities". Reason: your instance doesn't support "Threat Context" module.

Add Comment to a Threat

Description

The action will add a desired text comment to a specific threat.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Module Type String N/A Yes Specify the module type the resource belongs to.
Module ID String N/A Yes Specify the module ID the resource belongs to.
Resource ID String N/A Yes Specify the Resource ID to add the comment to.
Comment Text String N/A Yes Provide the comment you would like to add to the resource.

Run On

This action doesn't run on entities.

Action Results
Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully added the comment to threat ID: "+{threat_ID}

The action should fail and stop a playbook execution:

If not successful: "Failed to perform action "Add Comment to a Threat {0}".format(exception.stacktrace)

General
Case Wall table

Name: "Threat ID "+{threat_id}+" Comments:

Column:

  • Comment Row
  • Comment ID
  • Content
  • Creation Date
  • Commenter

Mark Threat as a Favorite

Description

The action will mark the specified threat as a favorite threat in BlueLiv.

Parameters

Parameter Display Name Type Default Value DDL Values Is Mandatory Description
Module Type String N/A Yes Specify the module type the resource belongs to.
Module ID String N/A Yes Specify the module ID the resource belongs to.
Resource ID String N/A Yes Specify the Resource ID to add the comment to.
Favorite Status DDL User Starred

Not Starred

User Starred

Group Starred

Full Starred

Yes Provide the Favorite status you would like to apply on the specified threat.

Run On

This action doesn't run on entities.

Action Results
Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully marked threat ID: "+{threat_ID}+" as favorite"

The action should fail and stop a playbook execution:

If not successful: "Failed to perform action "Mark Threat as a Favorite {0}".format(exception.stacktrace)

General

Add Labels to Threats

Description

The action will add the specified label name to the specified threat IDs.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Module Type String N/A Yes Specify the module type the resource belongs to.
Module ID String N/A Yes Specify the module ID the resource belongs to.
Resource ID String N/A Yes Specify the Resource IDs, i na comma separated list, to add the labels to.
Label Names String N/A Yes Specify the label names you would like to apply to the specified threats, in a comma-separated list. Please pay attention to lowercase and uppercase.

Run On

This action doesn't run on entities.

Action Results
Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If some labels weren't found successfully: "Couldn't find the following labels in BlueLiv":+(unsuccessful_label names_list)+". Please check the label names you have provided in the action parameters and try again"

If some threats weren't found: "Couldn't find the following threats in BlueLiv":+(unsuccessful_threat_IDs)+". Please check the threat IDs you have provided in the action parameters and try again"

If was successful: "Successfully added the following labels:" +(successful_label_names_list)+" to the following "threat IDs: "+(successful_threat_IDs_list)

The action should fail and stop a playbook execution:

If no labels were found successfully: "Couldn't find any of the following labels in BlueLiv":+(unsuccessful_label names_list)+". Please check the label names you have provided in the action parameters and try again"

If no Threats were found successfully: "Couldn't find any of the following Threats in BlueLiv":+(unsuccessful_threat_IDs_list)+". Please check the threat IDs you have provided in the action parameters and try again"

If not successful: "Failed to perform action "Add Labels to Threats".format(exception.stacktrace)

General

Remove Labels From Threats

Description

The action will remove the specified labels from the specified threat IDs.

Parameters
Name Default Value Is Mandatory Description
Module Type N/A Yes Specify the module type the resource belongs to.
Module ID Yes Specify the module ID the resource belongs to
Resource ID Yes Specify a comma-separated list of resource IDs from which you want to remove labels.
Label Names Yes Specify a comma-separated list of labels that need to be removed. Please pay attention to lowercase and uppercase.

Run On

This action doesn't run on entities.

Action Results
Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Case Success Fail Message
If some labels weren't found true false "Couldn't find the following labels in BlueLiv: \n {labels}. Please check the label names you have provided in the action parameters and try again."
If some threats weren't found true false Couldn't find the following threats from module {module} {threat IDs}: {threat IDs}. Please check the threat IDs you have provided in the action parameters and try again
If successful for some: true false Successfully removed the following labels from the following threat {threat ID} in Blueliv: {successful_labels}
If some were not applied already: true false The following labels were already not a part of the threat {threat ID} in Blueliv: {labels already not a part}
If no labels are found false true Error executing action "Remove Labels From Threats". Reason: None of the labels were found. Please check the spelling.
If no threats were found false true Error executing action "Remove Labels From Threats". Reason: None of the threats were found. Please check the spelling.
Fatal error, invalid creds, API root false true Error executing action "Remove Labels From Threats". Reason: {error traceback}
If module type or id is not valid false true Error executing action "Remove Labels From Threats". Reason: invalid module ID or module type was provided.

List Entity Threats

Description

List threats related to entities in Blueliv. Supported entities: All.

Known Limitations

Blueliv API might not return any results, even if the string matches the threat name identically. Example is shown below:

https://pastebin.com/YRkUCLGc - URL is shown, when searching using the "pastebin" keyword.

https://pastebin.com/YRkUCLGc - is not shown, when searching using the "https://pastebin.com/YRkUCLGc" keyword.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Label Filter CSV N/A No Specify a comma-separated list of labels, that will be used to filter threats. Note: label filter works with "OR" logic.
Module Filter CSV N/A No Specify a comma-separated list of modules, that will be used to filter threats.
Max Threats To Return Integer 50 No Specify how many threats to return per entity. If nothing is specified, action will return 50 threats.

Run On

This action runs on all entities.

Action Results
Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
{
    "id": xxxxxxx,
    "module_id": xxxx,
    "module_name": "Data Leakage",
    "module_short_name": "xxx-xxxxx",
    "module_type": "DATA_LEAKAGE",
    "url": "xxx",
    "content_type": "text/html",
    "countries_id": "xx",
    "analysis_result": "INFORMATIVE",
    "analysis_calc_result": "INFORMATIVE",
    "created_at": 1626163680000,
    "checked_at": 1626163680000,
    "changed_at": 1626163680000,
    "user_rating": 0,
    "read": true,
    "fav": "NOT_STARRED",
    "issued": false,
    "labels": [
        {
            "id": 36116,
            "name": "GithubCodeByFilename",
            "background_color": 16777215,
            "text_color": 0,
            "type": "GLOBAL"
        },
        {
            "id": 160,
            "name": "Public",
            "background_color": 45960,
            "text_color": 16777215,
            "type": "GLOBAL"
        }
    ],
    "tlpStatus": "AMBER",
    "searchPhrase": "credit card",
    "followedUp": false,
    "history": []
},
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one(is_success = true): "Successfully listed available threats to the following entities in Blueliv: {entity.identifier}".

If no threats for one (is_success=true): "No related threats were found to the following entities in Blueliv: {entity.identifier}"

If no threats for one (is_success=true): "No related threats were found to the provided entities in Blueliv"

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Entity Threats". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Title: {entity.identifier}

Module Name

URL

Title

Labels

Created At

Entity

Connector

BlueLiv - Threats Connector

Description

Pull security threats from BlueLiv. Connector fetches all of the latest threats from BlueLiv modules.

Whitelist and blacklist filters work with BlueLiv module types. For example, if you want to get threats only from Hacktivism modules, you can turn on the whitelist and type in the "Hacktivism" type name.

For each module type, there's a different structure of data being ingested into Google Security Operations SOAR. Please modify the mapping in your Google Security Operations SOAR instance to best suit your needs. Please make sure to see the different "event_type" values for each event coming back from BlueLiv.

For the Malware threat type, we currently provide the basic event data only. We will add an additional event very soon, to better handle the special data that comes back from a Malware threat type.

Configure BlueLiv - Threats Connector in Google Security Operations SOAR

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name Type Default Value Is Mandatory Description
Product Field Name String ProductName Yes Enter the source field name in order to retrieve the Product Field name.
Event Field Name String event_type Yes Enter the source field name in order to retrieve the Event Field name.
Environment Field Name String "" No

Describes the name of the field where the environment name is stored.

If the environment field isn't found, the environment is the default environment.

Environment Regex Pattern String .* No

A regex pattern to run on the value found in the "Environment Field Name" field.

Default is .* to catch all and return the value unchanged.

Used to allow the user to manipulate the environment field via regex logic.

If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.

Script Timeout (Seconds) Integer 180 Yes Timeout limit for the python process running the current script.
API URL String https://example.blueliv.com/api/v2 Yes API Root of the BlueLiv instance.
User Name String N/A Yes User name for BlueLiv
Password Password N/A Yes User password for BlueLiv
Organization ID String N/A Yes Specify the Organization ID to use in BlueLiv
Fetch Max Hours Backwards Integer 1 No Amount of hours from where to fetch events.
Max threats To Fetch Integer 10 No

How many threats to process per one connector iteration.
Note - Maximum value here is 100.

Severity String Medium Yes

Severity will be one from the following values Low, Medium, High, Critical.
Will be assigned to Google Security Operations SOAR alerts created from this connector.

Analysis results to ingest String (Values: NOT_AVAILABLE, NOT_IMPORTANT, NOT_PROCESSABLE, POSITIVE, NEGATIVE, INFORMATIVE, IMPORTANT) N/A No

Filter the threats by the analyst analysis to this threat, only ingest threats with the chosen analysis result. Provide a comma separated list of the desired analysis results to ingest.
Possible values: NOT_AVAILABLE, NOT_IMPORTANT, NOT_PROCESSABLE, POSITIVE, NEGATIVE, INFORMATIVE, IMPORTANT

Labels to filter by String (comma separated list) N/A No Please provide a comma separated list of the label names you want to filter by. Please pay attention to uppercase and lowercase letters and write the labels exactly as they appear in BlueLiv UI.
Reading status to ingest String (Values: "Only Read", "Only Unread") N/A No Filter the threats by their reading status, so that the connector will ingest according to it. If no value is provided we will fetch both. Options: "Only Read", "Only Unread".
Should Ingest only starred threats? Checkbox Unchecked No If checked, only starred (favorite) threats will be ingested
Should Ingest threats related to incidents? String (values:, Only Incidents, Only Non Incidents) N/A No Should connector filter the threats by checking the relationship to an incident. If no value is provided we will fetch both .Options are: Only Incidents- will ingest only threats related to incidents, Only Non Incidents - will ingest only threats that are not related to incidents
Use whitelist as a blacklist Checkbox Unchecked Yes If enabled, whitelist will be used as a blacklist.
Verify SSL Checkbox Unchecked Yes If enabled, verify the SSL certificate for the connection to the BlueLiv server is valid.
Proxy Server Address String N/A No The address of the proxy server to use.
Proxy Username String N/A No The proxy username to authenticate with.
Proxy Password Password N/A No The proxy password to authenticate with.

Connector Rules

Proxy Support

The connector supports Proxy.