Area 1

Integration version: 4.0

Configure Area 1 integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter name Type Default value Is mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
Api Root String https://: Yes Address of the Area 1 instance.
Username String N/A Yes The email address of the user which should be used to connect to Area 1.
Password Password N/A Yes The password of the according user.
Verify SSL Checkbox Checked No Use this checkbox, if your Area 1 connection requires an SSL verification.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Get Recent Indicators

Description

Get recent malicious indicators from Area 1 that might be related to phishing.

Parameters

Parameter Type Default value Description
Seconds Back String N/A N/A

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
Is_Success True/False Is_Success:False
JSON result
[
    {
        "threat_categories":
        [{
            "classification_disposition": ["Unclassified"]
        }],
        "threat_name": "Microsoft Favicon Impersonation",
        "item_name": "lamcdaniel.com/nc_assets/css/12/",
        "item_type": "url",
        "first_seen": 1550127499097,
        "last_seen": 1550134395800
    }, {
        "threat_categories":
        [{
            "category": ["Universal"],
            "threat_type": ["Actor Tool"],
            "classification_disposition": ["Unclassified"]
        }],
        "threat_name": "Area 1 Identified Malicious",
        "item_name": "e039e82c00e4ae0ddc92908c705350ec",
        "item_type": "filehash",
        "first_seen": 1550125103575,
        "last_seen": 1550125103575
    }
]

Ping

Description

Test Area 1 connectivity.

Run on

This action runs on all entities.

Action results

Script result
Script result name Value options Example
is_success True/False is_success:False

Search Indicator

Description

Search indicator on Area 1 by hash, URL, domain, IP, email.

Run on

This action runs on all entities.

Action results

Entity enrichment
Enrichment rield name Logic - When to apply
AREA1_category Returns if it exists in JSON result
AREA1_threat_type Returns if it exists in JSON result
AREA1_classification_disposition Returns if it exists in JSON result
AREA1_confidence_rating Returns if it exists in JSON result
AREA1_intervals Returns if it exists in JSON result
AREA1_value Returns if it exists in JSON result
AREA1_type Returns if it exists in JSON result
AREA1_name Returns if it exists in JSON result
Script result
Script result name Value options Example
is_success True/False is_success:False
JSON result
[
    {
        "EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
        "Entity": "indicator"
    }, {
        "EntityResult": "red",
        "Entity": "tlp"
    }, {
        "EntityResult": 80,
        "Entity": "overall_confidence"
    }, {
        "EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
        "Entity": "name"
    }, {
        "EntityResult": [
            {
                "category": ["Universal"],
                "threat_type": ["Actor Tool"],
                "classification_disposition": ["Unclassified"]
            }],
        "Entity": "threat_categories"
    }, {
        "EntityResult": "drizzle",
        "Entity": "author"
    }, {
        "EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
        "Entity": "filehash"
    }, {
        "EntityResult": 1550125103522,
        "Entity": "first_detected"
    }, {
        "EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
        "Entity": "Hash_SHA1"
    }, {
        "EntityResult": "Area 1 Identified Malicious",
        "Entity": "threat_name"
    }, {
        "EntityResult": "85f321d7f27916de21992c5284ff632db3db3481",
        "Entity": "query_term"
    }, {
        "EntityResult": "MAICIOUS",
        "Entity": "disposition"
    }, {
        "EntityResult": "file",
        "Entity": "family"
    }, {
        "EntityResult": [
            {
                "category": "Indicator Category",
                "confidence_rating": 80,
                "intervals": [
                    {
                        "start": 1550120952000,
                        "end": "current"
                    }],
                "value": "Universal"
            }],
        "Entity": "tag_histories"
    }, {
        "EntityResult": 1550125103522,
        "Entity": "first_seen"
    }, {
        "EntityResult": [
            {
                "type": "Hash_MD5",
                "name": "e412341be78003526999f77e8728526e"
            }, {
                "type": "Hash_SHA256",
                "name": "61f006012d2bd7f43bc14ecbeb6a7e690f9d68b4b6b396dab5805be2da75c717"
            }],
        "Entity": "aliases"
    }, {
        "EntityResult": "Hash_SHA1", "Entity": "type"
    }, {
        "EntityResult": 1550120950000,
        "Entity": "last_seen"
    }
]