ThreatConnect

Integration version: 11.0

Configure ThreatConnect to work with Google Security Operations SOAR

Organization Settings: Membership

To obtain your API Access ID, Secret Key, and set up a Default API Organization, first you'll have to add an API user in the organization. These configurations are to be found in Settings > Org Settings in your ThreatConnect Interface.

Creating an API User

  1. Click the Create API User button on the Membership tab of the Organization Settings screen.
  2. Fill in the following fields in order to create and configure the API user account:

    • First Name: Enter the API user's first name.
    • Last Name: Enter the API user's last name.
    • Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts. See Reporting False Positives for more information.
    • Disabled: Click the checkbox to disable an API user's account in the event that the Administrator wishes to retain log integrity when the API user no longer requires ThreatConnect access.
  3. Record the Secret Key, as it will not be accessible after the window is closed.

  4. Click the SAVE button to create the API user account.

Configure ThreatConnect integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Enrich Entities

Description

Enrich IP addresses, hosts, URLs, and hashes with information from ThreatConnect.

Parameters

Parameter Type Default Value Description
Owner Name String N/A Owner name to fetch the data from.

Run On

This action runs on the following entities:

  • IP Address
  • Filehash
  • URL
  • Hostname

Action Results

Entity Enrichment
Enrichment Field Name Logic - When to apply
securityLabels Returns if it exists in JSON result
owners Returns if it exists in JSON result
victims Returns if it exists in JSON result
tags Returns if it exists in JSON result
general Returns if it exists in JSON result
observations Returns if it exists in JSON result
groups Returns if it exists in JSON result
indicators Returns if it exists in JSON result
attributes Returns if it exists in JSON result
observationCount Returns if it exists in JSON result
victimAsset Returns if it exists in JSON result
Insights

N/A

Script Result
Script Result Name Value Options Example
is_enriched True/False is_enriched:False
JSON Result
[
    {
        "EntityResult": {
            "securityLabels": {
                "securityLabel": [],
                "resultCount": 0
            },
            "owners": {
                "owner": [{
                    "type": "Organization",
                    "id": 440,
                    "name": "S"
                }]},
            "victims": {
                "resultCount": 0,
                "victim": []
            },
            "tags": [
                "C2",
                "Malware"
            ],
            "general": {
                "url": {
                    "rating": 5.0,
                    "confidence": 100,
                    "dateAdded": "2018-01-09T20: 12: 11Z",
                    "description": "URLAssociatedwithCryptoLockerC2Servers",
                    "threatAssessConfidence": 93.33,
                    "lastModified": "2018-01-09T20: 13: 24Z",
                    "threatAssessRating": 4.33,
                    "webLink": "https: //sandbox.threatconnect.com/auth/indicators/details/url.xhtml?orgid=43743075&owner=S",
                    "text": "http: //markossolomon.com/f1q7qx.php",
                    "owner": {
                        "type": "Organization",
                        "id": 440,
                        "name": "S"
                    },
                    "id": 43743075
                }},
            "observations": {
                "resultCount": 0,
                "observation": []
            },
            "groups": null,
            "indicators": {
                "indicator": [],
                "resultCount": 0
            },
            "attributes": {
                "Description": ["URLAssociatedwithCryptoLockerC2Servers"]
            },
            "observationCount": {
                "observationCount":
                {
                    "count": 0
                }},
            "victimAssets": {
                "victimAsset": [],
                "resultCount": 0
            }},
        "Entity": "HTTP: //MARKOSSOLOMON.COM/F1Q7QX.PHP"
    }
]

Ping

Description

Test Connectivity.

Parameters

N/A

Run On

This action runs on all entities.

Action Results

Entity Enrichment

N/A

Insights

N/A

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A