BlueLiv
Integration version: 8.0
Integration guide
The integration purpose is to ingest the threats from BlueLiv, using the relevant filters to only show the desired threats within Google Security Operations SOAR, using the Threats Connector, and then have additional actions performed on those threats according to the relevant use cases.
In this quick guide we will go through a few things to make the usage of the integration easier for Google Security Operations SOAR customers.
Integration configuration
We will go over the parameters and where to find those so it will be easier for you to configure the integration:
- API Root - this is the URL you are using in order to view the BlueLiv
homepage, when the suffix /api/v2 added to it. For example:
https://tcdach.blueliv.com/api/v2should be the value on this parameter. - User name - same user name you use to connect to the BlueLiv homepage.
- Password - same password you use to connect to the BlueLiv homepage.
Organization ID - you can easily spot the organization ID on the URL you are using in order to browse the product itself, so for example:
For this example, here the organization ID is
117:https://tcdach.blueliv.com/dashboard/organizations/117/indexed
After going through the integration parameters, we can deep dive to the other terms in our integration.
Module Types
BlueLiv have divided the threats section to module types, and on this integration we use those types to help the SOAR platform and ingest only the relevant information if you want to filter by module type. The following module types are currently available in BlueLiv:
- Credentials
- Social Media
- Credit Cards
- Domain Protection
- Malware
- Data Leakage
- Hacktivism
- Dark Web
- Custom
- Media Tracker
- Mobile Apps
Threat ID and Module ID
https://tcdach.blueliv.com/dashboard/organizations/117/modules/1303/resource/31024379
Every threat you can find in BlueLiv has a UID, a number that represents it.
This one can also be easily spotted in the URL. A threat is
also called a resource. For example, here the threat UID is 31024379.
Also, for every module that you have on BlueLiv you have a UID, a number that
represents it. For example, here the threat UID is 1303.
Recommendation regarding configuration
Blueliv only allows one open session a time. It is recommended to use different users for integration configuration and connectors for stability purposes. Note: each connector would need a separate user.
Use Cases
- Proactive cyber threat monitoring
- Brand Protection
- Data Breach Protection
- Fraud Prevention
- Counterfeit Detection
Configure BlueLiv integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| API Root | String | https://example |
Yes | API Root of the BlueLiv instance. |
| User Name | String | N/A | Yes | User Name of BlueLiv. |
| Password | Password | N/A | Yes | Password of the user |
| Organization ID | String | N/A | Yes | Specify the Organization ID to use in BlueLiv |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verifies that the SSL certificate for the connection to the IronScales server is valid. |
Actions
Ping
Description
Test connectivity to BlueLiv with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Parameters
N/A
Run On
The action doesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If both API calls were successful: "Successfully connected to the BlueLiv server with the provided connection parameters!" The action should fail and stop a playbook execution: If only first call was ok and second one didn't work: "Successfully logged in with the user name and password, but seems like the Organization ID is not correct. Please check the Organization ID parameter in the Integration Configuration page and try again " if not successful: "Failed to connect to the BlueLiv! Error is {0}".format(exception.stacktrace) |
General |
Enrich Entities
Description
Enrich entities using information from Threat Context module of Blueliv. Supported entities: IP, Hash, URL, Threat Actor, Threat Campaign, Threat Signature, Domain, CVE.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
| Lowest Score To Mark as Suspicious | 5 | Yes | Specify what should be the lowest score for the entity to be marked as suspicious. Maximum: 10. |
| Create Insight | True | No | If enabled, action will create insights containing information about entities. |
Run On
This action runs on the following entities:
- IP Address
- Hash
- URL
- Threat Actor
- Threat Campaign
- Threat Signature
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| success | True/False | success:False |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| If enriched some entities | true | false | Successfully enriched the following entities using information from Blueliv: {entity.identifier} |
| If not enriched some | true | false | Action wasn't able to enrich the following entities using information from Blueliv: {entity.identifier} |
| if not enriched all | false | false | No entities were enriched using information from Blueliv. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Enrich Entities". Reason: {error traceback} |
| If "Threat Context" module is not available | false | True | Error executing action "Enrich Entities". Reason: your instance doesn't support "Threat Context" module. |
Add Comment to a Threat
Description
The action will add a desired text comment to a specific threat.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Module Type | String | N/A | Yes | Specify the module type the resource belongs to. |
| Module ID | String | N/A | Yes | Specify the module ID the resource belongs to. |
| Resource ID | String | N/A | Yes | Specify the Resource ID to add the comment to. |
| Comment Text | String | N/A | Yes | Provide the comment you would like to add to the resource. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully added the comment to threat ID: "+{threat_ID} The action should fail and stop a playbook execution: If not successful: "Failed to perform action "Add Comment to a Threat {0}".format(exception.stacktrace) |
General |
| Case Wall table | Name: "Threat ID "+{threat_id}+" Comments: Column:
|
Mark Threat as a Favorite
Description
The action will mark the specified threat as a favorite threat in BlueLiv.
Parameters
| Parameter Display Name | Type | Default Value | DDL Values | Is Mandatory | Description |
|---|---|---|---|---|---|
| Module Type | String | N/A | Yes | Specify the module type the resource belongs to. | |
| Module ID | String | N/A | Yes | Specify the module ID the resource belongs to. | |
| Resource ID | String | N/A | Yes | Specify the Resource ID to add the comment to. | |
| Favorite Status | DDL | User Starred | Not Starred User Starred Group Starred Full Starred |
Yes | Provide the Favorite status you would like to apply on the specified threat. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful: "Successfully marked threat ID: "+{threat_ID}+" as favorite" The action should fail and stop a playbook execution: If not successful: "Failed to perform action "Mark Threat as a Favorite {0}".format(exception.stacktrace) |
General |
Add Labels to Threats
Description
The action will add the specified label name to the specified threat IDs.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Module Type | String | N/A | Yes | Specify the module type the resource belongs to. |
| Module ID | String | N/A | Yes | Specify the module ID the resource belongs to. |
| Resource ID | String | N/A | Yes | Specify the Resource IDs, i na comma separated list, to add the labels to. |
| Label Names | String | N/A | Yes | Specify the label names you would like to apply to the specified threats, in a comma-separated list. Please pay attention to lowercase and uppercase. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If some labels weren't found successfully: "Couldn't find the following labels in BlueLiv":+(unsuccessful_label names_list)+". Please check the label names you have provided in the action parameters and try again" If some threats weren't found: "Couldn't find the following threats in BlueLiv":+(unsuccessful_threat_IDs)+". Please check the threat IDs you have provided in the action parameters and try again" If was successful: "Successfully added the following labels:" +(successful_label_names_list)+" to the following "threat IDs: "+(successful_threat_IDs_list) The action should fail and stop a playbook execution: If no labels were found successfully: "Couldn't find any of the following labels in BlueLiv":+(unsuccessful_label names_list)+". Please check the label names you have provided in the action parameters and try again" If no Threats were found successfully: "Couldn't find any of the following Threats in BlueLiv":+(unsuccessful_threat_IDs_list)+". Please check the threat IDs you have provided in the action parameters and try again" If not successful: "Failed to perform action "Add Labels to Threats".format(exception.stacktrace) |
General |
Remove Labels From Threats
Description
The action will remove the specified labels from the specified threat IDs.
Parameters
| Name | Default Value | Is Mandatory | Description |
|---|---|---|---|
| Module Type | N/A | Yes | Specify the module type the resource belongs to. |
| Module ID | Yes | Specify the module ID the resource belongs to | |
| Resource ID | Yes | Specify a comma-separated list of resource IDs from which you want to remove labels. | |
| Label Names | Yes | Specify a comma-separated list of labels that need to be removed. Please pay attention to lowercase and uppercase. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Case | Success | Fail | Message |
|---|---|---|---|
| If some labels weren't found | true | false | "Couldn't find the following labels in BlueLiv: \n {labels}. Please check the label names you have provided in the action parameters and try again." |
| If some threats weren't found | true | false | Couldn't find the following threats from module {module} {threat IDs}: {threat IDs}. Please check the threat IDs you have provided in the action parameters and try again |
| If successful for some: | true | false | Successfully removed the following labels from the following threat {threat ID} in Blueliv: {successful_labels} |
| If some were not applied already: | true | false | The following labels were already not a part of the threat {threat ID} in Blueliv: {labels already not a part} |
| If no labels are found | false | true | Error executing action "Remove Labels From Threats". Reason: None of the labels were found. Please check the spelling. |
| If no threats were found | false | true | Error executing action "Remove Labels From Threats". Reason: None of the threats were found. Please check the spelling. |
| Fatal error, invalid creds, API root | false | true | Error executing action "Remove Labels From Threats". Reason: {error traceback} |
| If module type or id is not valid | false | true | Error executing action "Remove Labels From Threats". Reason: invalid module ID or module type was provided. |
List Entity Threats
Description
List threats related to entities in Blueliv. Supported entities: All.
Known Limitations
Blueliv API might not return any results, even if the string matches the threat name identically. Example is shown below:
https://pastebin.com/YRkUCLGc - URL is shown, when searching using the "pastebin" keyword.
https://pastebin.com/YRkUCLGc - is not shown, when searching using the "https://pastebin.com/YRkUCLGc" keyword.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Label Filter | CSV | N/A | No | Specify a comma-separated list of labels, that will be used to filter threats. Note: label filter works with "OR" logic. |
| Module Filter | CSV | N/A | No | Specify a comma-separated list of modules, that will be used to filter threats. |
| Max Threats To Return | Integer | 50 | No | Specify how many threats to return per entity. If nothing is specified, action will return 50 threats. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
JSON Result
{
"id": xxxxxxx,
"module_id": xxxx,
"module_name": "Data Leakage",
"module_short_name": "xxx-xxxxx",
"module_type": "DATA_LEAKAGE",
"url": "xxx",
"content_type": "text/html",
"countries_id": "xx",
"analysis_result": "INFORMATIVE",
"analysis_calc_result": "INFORMATIVE",
"created_at": 1626163680000,
"checked_at": 1626163680000,
"changed_at": 1626163680000,
"user_rating": 0,
"read": true,
"fav": "NOT_STARRED",
"issued": false,
"labels": [
{
"id": 36116,
"name": "GithubCodeByFilename",
"background_color": 16777215,
"text_color": 0,
"type": "GLOBAL"
},
{
"id": 160,
"name": "Public",
"background_color": 45960,
"text_color": 16777215,
"type": "GLOBAL"
}
],
"tlpStatus": "AMBER",
"searchPhrase": "credit card",
"followedUp": false,
"history": []
},
Case Wall
| Result type | Value/Description | Type (Entity \ General) |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If data is available for one(is_success = true): "Successfully listed available threats to the following entities in Blueliv: {entity.identifier}". If no threats for one (is_success=true): "No related threats were found to the following entities in Blueliv: {entity.identifier}" If no threats for one (is_success=true): "No related threats were found to the provided entities in Blueliv" The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: "Error executing action "List Entity Threats". Reason: {0}''.format(error.Stacktrace) |
General |
| Case Wall Table | Title: {entity.identifier} Module Name URL Title Labels Created At |
Entity |
Connector
BlueLiv - Threats Connector
Description
Pull security threats from BlueLiv. Connector fetches all of the latest threats from BlueLiv modules.
Whitelist and blacklist filters work with BlueLiv module types. For example, if you want to get threats only from Hacktivism modules, you can turn on the whitelist and type in the "Hacktivism" type name.
For each module type, there's a different structure of data being ingested into Google Security Operations SOAR. Please modify the mapping in your Google Security Operations SOAR instance to best suit your needs. Please make sure to see the different "event_type" values for each event coming back from BlueLiv.
For the Malware threat type, we currently provide the basic event data only. We will add an additional event very soon, to better handle the special data that comes back from a Malware threat type.
Configure BlueLiv - Threats Connector in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | ProductName | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | event_type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 180 | Yes | Timeout limit for the python process running the current script. |
| API URL | String | https://example.blueliv.com/api/v2 | Yes | API Root of the BlueLiv instance. |
| User Name | String | N/A | Yes | User name for BlueLiv |
| Password | Password | N/A | Yes | User password for BlueLiv |
| Organization ID | String | N/A | Yes | Specify the Organization ID to use in BlueLiv |
| Fetch Max Hours Backwards | Integer | 1 | No | Amount of hours from where to fetch events. |
| Max threats To Fetch | Integer | 10 | No | How many threats to process per one connector iteration. |
| Severity | String | Medium | Yes | Severity will be one from the following values Low, Medium, High, Critical. |
| Analysis results to ingest | String (Values: NOT_AVAILABLE, NOT_IMPORTANT, NOT_PROCESSABLE, POSITIVE, NEGATIVE, INFORMATIVE, IMPORTANT) | N/A | No | Filter the threats by the analyst analysis to this threat, only ingest threats with the chosen analysis result. Provide a comma separated list of the desired analysis results to ingest. |
| Labels to filter by | String (comma separated list) | N/A | No | Please provide a comma separated list of the label names you want to filter by. Please pay attention to uppercase and lowercase letters and write the labels exactly as they appear in BlueLiv UI. |
| Reading status to ingest | String (Values: "Only Read", "Only Unread") | N/A | No | Filter the threats by their reading status, so that the connector will ingest according to it. If no value is provided we will fetch both. Options: "Only Read", "Only Unread". |
| Should Ingest only starred threats? | Checkbox | Unchecked | No | If checked, only starred (favorite) threats will be ingested |
| Should Ingest threats related to incidents? | String (values:, Only Incidents, Only Non Incidents) | N/A | No | Should connector filter the threats by checking the relationship to an incident. If no value is provided we will fetch both .Options are: Only Incidents- will ingest only threats related to incidents, Only Non Incidents - will ingest only threats that are not related to incidents |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, whitelist will be used as a blacklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the BlueLiv server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector Rules
Proxy Support
The connector supports Proxy.