Anomali ThreatStream

Integration version: 5.0

Configure Anomali ThreatStream integration in Google Security Operations SOAR

For detailed instructions about how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name	Type	Default value	Is mandatory	Description
Web Root	String	https://siemplify.threatstream.com	Yes	Web Root of the Anomali ThreatStream instance. This parameter is used for creating report links across integration items.
API Root	String	https://api.threatstream.com	Yes	API Root of the Anomali ThreatStream instance.
Email Address	String	N/A	Yes	Email address of the Anomali ThreatStream account.
API Key	Password	N/A	Yes	API key of the Anomali ThreatStream account.
Verify SSL	Checkbox	Checked	Yes	If enabled, verifies that the SSL certificate for the connection to the Anomali ThreatStream server is valid.

Product use cases

Perform active actions - entity enrichment.

Actions

Add Tags To Entities

Description

Add tags to entities in Anomali ThreatStream.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Tags	CSV	N/A	Yes	Specify a comma-separated list of tags that need to be added to entities in Anomali ThreatStream.

Run On

This action runs on the following entities:

Hash
IP Address
URL
Email

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

N/A

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully added tags to the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list) If not found specific entities (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier]) If not found all entities (is_success=false): "None of the provided entities were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Add Tags To Entities". Reason: {0}''.format(error.Stacktrace)	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully added tags to the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If not found specific entities (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier])

If not found all entities (is_success=false): "None of the provided entities were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Add Tags To Entities". Reason: {0}''.format(error.Stacktrace)

General

Enrich entities

Description

Retrieve information about IPs, URLs, hashes, email addresses from Anomali ThreatStream.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Severity Threshold	DDL	Low Possible values: Very High High Medium Low	Yes	Specify what should be the severity threshold for the entity, in order to mark it as suspicious. If multiple records are found for the same entity, action will take the highest severity out of all available records.
Confidence Threshold	Integer	N/A	Yes	Specify what should be the confidence threshold for the entity, in order to mark it as suspicious. Note: Maximum is 100. If multiple records are found for the entity, action will take the average. Active records have priority.
Ignore False Positive Status	Checkbox	Unchecked	No	If enabled, action will ignore the false positive status and mark the entity as suspicious based on the Severity Threshold and Confidence Threshold. If disabled, action will never label false positive entities as suspicious, regardless, if they pass the Severity Threshold and "Confidence Threshold" conditions or not.
Add Threat Type To Case	Checkbox	Unchecked	No	If enabled, action will add threat types of the entity from all records as tags to the case. Example: apt
Only Suspicious Entity Insight	Checkbox	Unchecked	Yes	If enabled, action will create insight only for entities that exceeded the Severity Threshold and Confidence Threshold.
Create Insight	Checkbox	Unchecked	Yes	If enabled, action will add an insight per processed entity.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

N/A

Entity enrichment

Enrichment field name	Logic - When to apply
id	When available in JSON
status	When available in JSON
itype	When available in JSON
expiration_time	When available in JSON
ip	When available in JSON
feed_id	When available in JSON
confidence	When available in JSON
uuid	When available in JSON
retina_confidence	When available in JSON
trusted_circle_ids	When available in JSON
source	When available in JSON
latitude	When available in JSON
type	When available in JSON
description	When available in JSON
tags	When available in JSON
threat_score	When available in JSON
source_confidence	When available in JSON
modification_time	When available in JSON
org_name	When available in JSON
asn	When available in JSON
creation_time	When available in JSON
tlp	When available in JSON
country	When available in JSON
longitude	When available in JSON
severity	When available in JSON
subtype	When available in JSON
report	When available in JSON

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Anomali ThreatStream: \n {0}".format(entity.identifier list) If failed to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Anomali ThreatStream\n: {0}".format([entity.identifier]) If failed to enrich all entities (is_success=false): "No entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General
Case Wall Table	Table Name: Related Analysis Links: {entity_identifier} Table Columns: Name Link	General
Case Wall Table	Keys based on the enrichment table	Entity

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Anomali ThreatStream: \n {0}".format(entity.identifier list)

If failed to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Anomali ThreatStream\n: {0}".format([entity.identifier])

If failed to enrich all entities (is_success=false): "No entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Case Wall Table

Table Name: Related Analysis Links: {entity_identifier}

Table Columns:

Name
Link

General

Case Wall Table

Keys based on the enrichment table

Entity

Get Related Associations

Description

Retrieve entity related associations from Anomali ThreatStream.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Return Campaigns	Checkbox	Checked	No	If enabled, action will fetch related campaigns and details about them.
Return Threat Bulletins	Checkbox	Checked	No	If enabled, action will fetch related threat bulletins and details about them.
Return Actors	Checkbox	Checked	No	If enabled, action will fetch related actors and details about them.
Return Attack Patterns	Checkbox	Checked	No	If enabled, action will fetch related attack patterns and details about them.
Return Courses Of Action	Checkbox	Checked	No	If enabled, action will fetch related courses of action and details about them.
Return Identities	Checkbox	Checked	No	If enabled, action will fetch related identities and details about them.
Return Incidents	Checkbox	Checked	No	If enabled, action will fetch related incidents and details about them.
Return Infrastructure	Checkbox	Checked	No	If enabled, action will fetch related infrastructure and details about them.
Return Intrusion Sets	Checkbox	Checked	No	If enabled, action will fetch related intrusion sets and details about them.
Return Malware	Checkbox	Checked	No	If enabled, action will fetch related malware and details about them.
Return Signatures	Checkbox	Checked	No	If enabled, action will fetch related signatures and details about them.
Return Tools	Checkbox	Checked	No	If enabled, action will fetch related tools and details about them.
Return TTPs	Checkbox	Checked	No	If enabled, action will fetch related TTPs and details about them.
Return Vulnerabilities	Checkbox	Checked	No	If enabled, action will fetch related vulnerabilities and details about them.
Create Campaign Entity	Checkbox	Unchecked	No	If enabled, action will create an entity out of available Campaign associations.
Create Actors Entity	Checkbox	Unchecked	No	If enabled, action will create an entity out of available Actor associations.
Create Signature Entity	Checkbox	Unchecked	No	If enabled, action will create an entity out of available Signature associations.
Create Vulnerability Entity	Checkbox	Unchecked	No	If enabled, action will create an entity out of available Vulnerability associations.
Create Insight	Checkbox	Checked	No	If enabled, action will create an insight based on the results.
Create Case Tag	Checkbox	Unchecked	No	If enabled, action will create case tags based on the results.
Max Associations To Return	Integer	5	No	Specify how many associations to return per type. Default: 5
Max Statistics To Return	Integer	3	No	Specify how many top statistics results regarding IOCs to return. Note: The action will at max process 1000 IOCs related to the association. If you provide `0`, action will not try to fetch statistics information.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

{
    "campaign": [
        {
            "name": "Coronavirus",
            "id": 1
        },
        {
            "name": "Bad campaign",
            "id": 2
        }
    ],
    "actor": [
        {
            "name": "Actor 1",
            "id": 1
        },
        {
            "name": "Actor 2",
            "id": 2
        }
    ],
    "attackpattern": [
        {
            "name": "Pattern 1",
            "id": 1
        },
        {
            "name": "Pattern 2",
            "id": 2
        }
    ],
    "courseofaction": [
        {
            "name": "Course of Action 1",
            "id": 1
        },
        {
            "name": "Course Of Action 2",
            "id": 2
        }
    ],
    "identity": [
        {
            "name": "Identity 1",
            "id": 1
        },
        {
            "name": "Identity 2",
            "id": 2
        }
    ],
    "incident": [
        {
            "name": "Incident 1",
            "id": 1
        },
        {
            "name": "Incident 2",
            "id": 2
        }
    ],
    "infrastructure": [
        {
            "name": "Infrustructure 1",
            "id": 1
        },
        {
            "name": "Infrustructure 2",
            "id": 2
        }
    ],
    "intrusionset": [
        {
            "name": "Intrusion set 1",
            "id": 1
        },
        {
            "name": "Intrusion set 2",
            "id": 2
        }
    ],
    "malware": [
        {
            "name": "Malware 1",
            "id": 1
        },
        {
            "name": "Malware 2",
            "id": 2
        }
    ],
    "signature": [
        {
            "name": "Signature 1",
            "id": 1
        },
        {
            "name": "Signature 2",
            "id": 2
        }
    ],
    "tool": [
        {
            "name": "Tool 1",
            "id": 1
        },
        {
            "name": "Tool 2",
            "id": 2
        }
    ],
    "ttp": [
        {
            "name": "TTP 1",
            "id": 1
        },
        {
            "name": "TTP 2",
            "id": 2
        }
    ],
    "vulnerability": [
        {
            "name": "Vulnerability 1",
            "id": 1
        },
        {
            "name": "Vulnerability 2",
            "id": 2
        }
    ],
}

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Anomali ThreatStream" If no associations are found (is_success=false): "No related associations were found." Async Message: "Waiting for all of the association details to be retrieved" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table	Table Name: "Related Associations" Table Columns: ID Name Type Status

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Anomali ThreatStream"

If no associations are found (is_success=false): "No related associations were found."

Async Message: "Waiting for all of the association details to be retrieved"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

Table Name: "Related Associations"

Table Columns:

ID
Name
Type
Status

Get Related Entities

Description

Retrieve related entities based on the associations in Anomali ThreatStream.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify what should be the confidence threshold. Maximum is 100.
Search Threat Bulletins	Checkbox	Checked	No	If enabled, action will search among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, action will search among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, action will search among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, action will search campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, action will search among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, action will search among identities.
Search Incidents	Checkbox	Checked	No	If enabled, action will search among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, action will search among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, action will search among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, action will search among malware.
Search Signatures	Checkbox	Checked	No	If enabled, action will search among signatures.
Search Tools	Checkbox	Checked	No	If enabled, action will search among tools.
Search TTPs	Checkbox	Checked	No	If enabled, action will search among ttps.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, action will search among vulnerabilities.
Max Entities To Return	Integer	50	No	Specify how many entities to return per entity type.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email (user entity that matches email regex)
Threat Actor
CVE

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

JSON results shouldn't be split between entities. Everything should be in one place.

{
"{}_hashes".format(subtype): [""],
"all_hashes": ["md5hash_1"],
"domains": [""]
"urls": []
"emails": []
"ips": []
}

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Anomali ThreatStream" If no hashes are found (is_success=false): "No related hashes were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Anomali ThreatStream"

If no hashes are found (is_success=false): "No related hashes were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Ping

Description

Test connectivity to Anomali ThreatStream with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run on

This action doesn't run on entities, nor has mandatory input parameters.

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

N/A

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Anomali ThreatStream server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful:"Failed to connect to the Anomali ThreatStream server! Error is {0}".format(exception.stacktrace)	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Anomali ThreatStream server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful:"Failed to connect to the Anomali ThreatStream server! Error is {0}".format(exception.stacktrace)

General

Remove Tags From Entities

Description

Remove tags from entities in Anomali ThreatStream. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Tags	CSV	N/A	Yes	Specify a comma-separated list of tags that need to be removed from entities in Anomali ThreatStream.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

N/A

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one tag is removed from one entity (is_success=true): "Successfully removed the following tags from the "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags) If one tag is not found for one entity (is_success=true): "The following tags were already not a part of "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags) If all tags are not found for one entity (is_success=true): "None of the provided tags were part of "{entity.identifier}" entity in Anomali ThreatStream." If one entity is not found (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier]) If all entities are not found (is_success=false): "None of the provided entities were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Tags From Entities". Reason: {0}''.format(error.Stacktrace)	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one tag is removed from one entity (is_success=true): "Successfully removed the following tags from the "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags)

If one tag is not found for one entity (is_success=true): "The following tags were already not a part of "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags)

If all tags are not found for one entity (is_success=true): "None of the provided tags were part of "{entity.identifier}" entity in Anomali ThreatStream."

If one entity is not found (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier])

If all entities are not found (is_success=false): "None of the provided entities were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Tags From Entities". Reason: {0}''.format(error.Stacktrace)

General

Report As False Positive

Description

Report entities in Anomali ThreatStream as false positive. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Reason	String	N/A	Yes	Specify the reason why you want to mark entities as false positives.
Comment	String	N/A	Yes	Specify additional information related to your decision regarding marking the entity as false positive.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email Address (user entity that matches email regex)

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

N/A

Case wall

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Anomali ThreatStream:\n{0}".format(entity.identifier list) If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Anomali ThreatStream\n: {0}".format([entity.identifier]) If fail to enrich all entities (is_success=false): "No entities were reported as false positive." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace)	General

Result type

Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Anomali ThreatStream\n: {0}".format([entity.identifier])

If fail to enrich all entities (is_success=false): "No entities were reported as false positive."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace)

General

Submit Observables

Description

Submit an observable to Anomali ThreatStream based on IP, URL, Hash, Email entities. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).

Where to find trusted circle IDs

To find the ID of a trusted circle, locate the trusted circle on Anomali ThreatStream, and click on its name. The URL displayed in the address bar shows the ID. For example: https://siemplify.threatstream.com/search?trustedcircles=13.

Parameters

Parameter name	Type	Default value	Is mandatory	Description
Classification	DDL	Private Possible values: Public Private	Yes	Specify the classification of the observable.
Threat Type	DDL	APT Possible Values APT Adware Anomalous Anomyzation Bot Brute C2 Compromised Crypto Data Leakage DDOS Dynamic DNS Exfil Exploit Fraud Hacking Tool I2P Informational Malware P2P Parked Phish Scan Sinkhole Social Spam Suppress Suspicious TOR VPS	Yes	Specify the threat type for the observables.
Source	String	Siemplify	No	Specify the intelligence source for the observable.
Expiration Date	Integer	N/A	No	Specify the expiration date in days for the observable. If nothing is specified here, action will create an observable that will never expire.
Trusted Circle IDs	CSV	N/A	No	Specify the comma-separated list of trusted circle ids. Observables will be shared with those trusted circles.
TLP	DDL	Select One Possible Values: Select One Red Green Amber White	No	Specify the TLP for your observables.
Confidence	Integer	N/A	No	Specify what should be the confidence for the observable. Note: This parameter will only work, if you create observables in your organization and requires Override System Confidence to be enabled.
Override System Confidence	Checkbox	Unchecked	No	If enabled, created observables will have the confidence specified in the Confidence parameter. Note: You can't share observables in trusted circles and publicly, when this parameter is enabled.
Anonymous Submission	Checkbox	Unchecked	No	If enabled, action will make an anonymous submission.
Tags	CSV	N/A	No	Specify a comma-separated list of tags that you want to add to observable.

Run on

This action runs on the following entities:

Hash
IP Address
URL
Email

Action results

Script result

Script result name	Value options	Example
is_success	True or False	is_success:False

JSON result

approved_jobs = [
    {
        "id" ,
        "entity": {entity.identifier}
    }
]
    jobs_with_excluded_entities = [
    {
        "id":,
        "entity": {entity.identifier}
    }
]

Case wall

Result type Description Type

Output message*

Result type	Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found(is_success=true): "Successfully submitted and approved the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list) If fails to enrich some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Anomali ThreatStream\n: {0}".format([entity.identifier]) If fails to enrich for all entities (is_success=false): "No entities were successfully submitted to Anomali ThreatStream." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit Observables". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Submit Observables". Reason: {0}''.format(message)	General
	Link: `https://siemplify.threatstream.com/import/review/{jobid}`	Entity

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found(is_success=true): "Successfully submitted and approved the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list)

If fails to enrich some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Anomali ThreatStream\n: {0}".format([entity.identifier])

If fails to enrich for all entities (is_success=false): "No entities were successfully submitted to Anomali ThreatStream."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit Observables". Reason: {0}''.format(error.Stacktrace)

If the 400 status code is reported: "Error executing action "Submit Observables". Reason: {0}''.format(message)

General

Link:

https://siemplify.threatstream.com/import/review/{jobid}

Entity

Connectors

Anomali ThreatStream - Observables Connector

Description

Pull observables from Anomali ThreatStream.

Where to find trusted circle IDs

Configure Anomali ThreatStream - Observables Connector in Google Security Operations SOAR

For detailed instructions about how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Connector parameters

Use the following parameters to configure the connector:

Parameter name	Type	Default value	Is mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	type	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Integer	300	Yes	Timeout limit for the python process running the current script.
API Root	String	https://api.threatstream.com	Yes	API root of the Anomali ThreatStream instance.
Email Address	String	N/A	Yes	Email address of the Anomali ThreatStream account.
API Key	Password	N/A	Yes	API Key of the Anomali ThreatStream account.
Lowest Severity To Fetch	String	High	Yes	Lowest severity that will be used to fetch observables. Possible values: Low Medium High Very-High
Lowest Confidence To Fetch	Integer	50	Yes	Lowest confidence that will be used to fetch observables. Maximum is 100.
Source Feed Filter	CSV	N/A	No	Comma-separated list of feed ids that should be used to ingest observables. Example: 515,4129
Observable Type Filter	CSV	url, domain, email, hash, ip, ipv6	No	Comma-separated list of observable types that should be ingested. Example: url, domain Possible values: url, domain, email, hash, ip, ipv6
Observable Status Filter	CSV	active	No	Comma-separated list of observable status that should be used to ingest new data. Example: active,inactive Possible values: active,inactive,falsepos
Threat Type Filter	CSV	N/A	No	Comma-separated list of threat types that should be used to ingest observables. Example: аdware,anomalous,anonymization,apt Possible values: аdware,anomalous,anonymization,apt,bot,brute,c2,compromised,crypto,data_leakage,ddos,dyn_dns,exfil,exploit,fraud,hack_tool,i2p,informational,malware,p2p,parked,phish,scan,sinkhole,spam,suppress,suspicious,tor,vps
Trusted Circle Filter	CSV	N/A	No	Comma-separated list of trusted circle ids that should be used to ingest observables. Example: 146,147
Tag Name Filter	CSV	N/A	No	Comma-separated list of tag names associated with observables that should be used with ingestion. Example: Microsoft Credentials, Phishing
Source Feed Grouping	Checkbox	Unchecked	No	If enabled, the connector will group observables from the same source under the same Google Security Operations SOAR Alert.
Fetch Max Days Backwards	Integer	1	No	Amount of days from where to fetch observables.
Max Observables Per Alert	Integer	100	No	How many observables should be a part of one Google Security Operations SOAR alert. Maximum is 200.
Use whitelist as a blacklist	Checkbox	Unchecked	Yes	If enabled, whitelist will be used as a blacklist.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verify the SSL certificate for the connection to the Anomali ThreatStream server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports Proxy.