Siemplify ThreatFuse

Integration version: 14.0

Configure Siemplify ThreatFuse integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Web Root	String	https://siemplify.threatstream.com	Yes	Web Root of the Siemplify ThreatFuse instance. This parameter is used for creating report links across integration items.
API Root	String	https://api.threatstream.com	Yes	API Root of the Siemplify ThreatFuse instance.
Email Address	String	N/A	Yes	Email address of the Siemplify ThreatFuse account.
API Key	Password	N/A	Yes	API key of the Siemplify ThreatFuse account.
Verify SSL	Checkbox	Checked	Yes	If enabled, verifies that the SSL certificate for the connection to the Siemplify ThreatFuse server is valid.

To obtain the API key, complete the following steps:

In your ThreatStream account settings, go to the My profile tab.
Go to the Account information section.
Copy the API Key value.

Use Cases

Enrich entities.

Actions

Ping

Description

Test connectivity to the Siemplify ThreatFuse with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Run On

The action idoesn't run on entities, nor has mandatory input parameters.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Siemplify ThreatFuse server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Siemplify ThreatFuse server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the Siemplify ThreatFuse server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the Siemplify ThreatFuse server! Error is {0}".format(exception.stacktrace)

General

Enrich Entities

Description

Retrieve information about IPs, URLs, hashes, email addresses from Siemplify ThreatFuse. If multiple records are found for the same entity, the action will enrich using the latest record.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Severity Threshold	DDL	Medium Possible value: Very High High Medium Low	Yes	Specify the severity threshold for the entity, in order to mark it as suspicious. If multiple records are found for the same entity, the action takes the highest severity out of all available records.
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold for the entity, in order to mark it as suspicious. Maximum is 100. If multiple records are found for the entity, the action takes the average. Active records have priority.
Ignore False Positive Status	Checkbox	Unchecked	No	If enabled, the action ignores the false positive status and mark the entity as suspicious based on the "Severity Threshold" and "Confidence Threshold" parameters. If disabled, the action never labels false positive entities as suspicious, regardless, if they pass the "Severity Threshold" and "Confidence Threshold" conditions or not.
Add Threat Type To Case	Checkbox	Unchecked	No	If enabled, the action adds threat types of the entity from all records as tags to the case. Example: apt
Only Suspicious Entity Insight	Checkbox	Unchecked	Yes	If enabled, the action creates insight only for entities that exceeded the "Severity Threshold" and "Confidence Threshold" parameters.
Create Insight	Checkbox	Unchecked	Yes	If enabled, the action adds an insight per processed entity.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
    "objects": [
        {
            "status": "inactive",
            "itype": "mal_md5",
            "expiration_ts": "2019-02-25T08:58:58.000Z",
            "ip": null,
            "is_editable": false,
            "feed_id": 2197,
            "update_id": 3328068779,
            "longitude": null,
            "org": "",
            "threat_type": "malware",
            "workgroups": [],
            "rdns": null,
            "confidence": 60,
            "uuid": "31d9ed97-9811-4b4b-9e2d-4b3f822eb37f",
            "subtype": "MD5",
            "trusted_circle_ids": [
                146,
                254
            ],
            "id": 51744433673,
            "source": "targetedthreats - OSINT",
            "owner_organization_id": 2,
            "import_session_id": null,
            "latitude": null,
            "type": "md5",
            "sort": [
                1551097291170
            ],
            "description": null,
            "tags": [
                {
                    "id": "fvj",
                    "name": "Family=Code4HK"
                },
                {
                    "id": "zwz",
                    "name": "Report=https://malware.lu/articles/2014/09/29/analysis-of-code4hk.html"
                }
            ],
            "threatscore": 54,
            "source_reported_confidence": 60,
            "modified_ts": "2019-02-25T12:21:31.170Z",
            "is_public": false,
            "asn": "",
            "created_ts": "2018-11-27T09:00:33.468Z",
            "tlp": null,
            "is_anonymous": false,
            "country": null,
            "can_add_public_tags": false,
            "value": "15e5143e1c843b4836d7b6d5424fb4a5",
            "retina_confidence": -1,
            "meta": {
                "detail2": "bifocals_deactivated_on_2019-02-25_09:30:00.127233",
                "severity": "high"
            },
            "resource_uri": "/api/v2/intelligence/51744433673/"
      "report_link": "https://siemplify.threatstream.com/detail/url/http:%2F%2Fsweetpineapple.co.za%2Fwp-admin%2Fuser%2Finternetbanking.suncorpbank.htm"
        },
        {
            "status": "active",
            "itype": "apt_md5",
            "expiration_ts": "9999-12-31T00:00:00+00:00",
            "ip": null,
            "is_editable": false,
            "feed_id": 191,
            "update_id": 5406560,
            "value": "15e5143e1c843b4836d7b6d5424fb4a5",
            "is_public": true,
            "threat_type": "apt",
            "workgroups": [],
            "rdns": null,
            "confidence": 90,
            "uuid": null,
            "retina_confidence": -1,
            "trusted_circle_ids": null,
            "id": 5406560,
            "source": "SLC Alert Malware Domains",
            "owner_organization_id": 736,
            "import_session_id": null,
            "latitude": null,
            "type": "md5",
            "sort": [
                1421928716491
            ],
            "description": null,
            "tags": [
                {
                    "name": "HITRUST"
                },
                {
                    "name": "Public-Threats"
                }
            ],
            "threatscore": 77,
            "source_reported_confidence": 60,
            "modified_ts": "2015-01-22T12:11:56.491Z",
            "org": "",
            "asn": "",
            "created_ts": "2015-01-22T12:11:56.491Z",
            "tlp": null,
            "is_anonymous": null,
            "country": null,
            "can_add_public_tags": true,
            "longitude": null,
            "subtype": "MD5",
            "meta": {
                "severity": "high",
                "detail": "Public Threats,HITRUST"
            },
            "resource_uri": "/api/v2/intelligence/5406560/"
        },
        {
            "status": "active",
            "itype": "apt_md5",
            "expiration_ts": "9999-12-31T00:00:00+00:00",
            "ip": null,
            "is_editable": false,
            "feed_id": 0,
            "update_id": 59177,
            "value": "15e5143e1c843b4836d7b6d5424fb4a5",
            "is_public": true,
            "threat_type": "apt",
            "workgroups": [],
            "rdns": null,
            "confidence": 100,
            "uuid": null,
            "retina_confidence": -1,
            "trusted_circle_ids": null,
            "id": 59177,
            "source": "Analyst",
            "owner_organization_id": 2,
            "import_session_id": 2325,
            "latitude": null,
            "type": "md5",
            "sort": [
                1412172414589
            ],
            "description": null,
            "tags": [
                {
                    "name": "apt_md5"
                },
                {
                    "name": "CN-APT"
                },
                {
                    "name": "IOS-Malware"
                },
                {
                    "name": "LadyBoyle"
                }
            ],
            "threatscore": 85,
            "source_reported_confidence": 0,
            "modified_ts": "2014-10-01T14:06:54.589Z",
            "org": "",
            "asn": "",
            "created_ts": "2014-10-01T14:06:40.858Z",
            "tlp": null,
            "is_anonymous": null,
            "country": null,
            "can_add_public_tags": false,
            "longitude": null,
            "subtype": "MD5",
            "meta": {
                "detail2": "imported by user 1",
                "severity": "very-high",
                "detail": "LadyBoyle, IOS Malware, CN APT"
            },
            "resource_uri": "/api/v2/intelligence/59177/"
        }
    ],
    "is_risky": "true"
    "meta": {
        "total_count": 3,
        "offset": 0,
        "limit": 1000,
        "took": 27,
        "next": null
    }
}

Entity Enrichment

Enrichment Field Name	Logic - When to apply
TFuse_id	When available in JSON
TFuse_status	When available in JSON
TFuse_itype	When available in JSON
TFuse_expiration_time	When available in JSON
TFuse_ip	When available in JSON
TFuse_feed_id	When available in JSON
TFuse_confidence	When available in JSON
TFuse_uuid	When available in JSON
TFuse_retina_confidence	When available in JSON
TFuse_trusted_circle_ids	When available in JSON
TFuse_source	When available in JSON
TFuse_latitude	When available in JSON
TFuse_type	When available in JSON
TFuse_description	When available in JSON
TFuse_tags	When available in JSON
TFuse_threat_score	When available in JSON
TFuse_source_confidence	When available in JSON
TFuse_modification_time	When available in JSON
TFuse_org_name	When available in JSON
TFuse_asn	When available in JSON
TFuse_creation_time	When available in JSON
TFuse_tlp	When available in JSON
TFuse_country	When available in JSON
TFuse_longitude	When available in JSON
TFuse_severity	When available in JSON
TFuse_subtype	When available in JSON
TFuse_report	When available in JSON

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Siemplify ThreatFuse: \n {0}".format(entity.identifier list) If fail to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (is_success=false): "No entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General
CSV	Table Name: Related Analysis Links: {entity_identifier} Table Columns: Name: mapped as key in the second response (example Virustotal) Link: mapped as value to the key	General
CSV	Keys based on the enrichment table. The No Enrichment Prefix, parameter is capitalized.	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Siemplify ThreatFuse: \n {0}".format(entity.identifier list)

If fail to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Siemplify ThreatFuse\n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success=false): "No entities were enriched."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

CSV

Table Name: Related Analysis Links: {entity_identifier}

Table Columns:

Name: mapped as key in the second response (example Virustotal)
Link: mapped as value to the key

General

CSV

Keys based on the enrichment table.

The No Enrichment Prefix, parameter is capitalized.

General

Get Related Hashes

Description

Retrieve entity related hashes based on the associations in Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold. Maximum: 100
Search Threat Bulletins	Checkbox	Checked	No	If enabled, the action searches among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, the action searches among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, the action searches among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, the action searches campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, the action searches among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, the action searches among identities.
Search Incidents	Checkbox	Checked	No	If enabled, the action searches among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, the action searches among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, the action searches among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, the action searches among malware.
Search Signatures	Checkbox	Checked	No	If enabled, the action searches among signatures.
Search Tools	Checkbox	Checked	No	If enabled, the action searches among tools.
Search TTPs	Checkbox	Checked	No	If enabled, the action searches among TTPs.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, the action searches among vulnerabilities.
Max Hashes To Return	Integer	50	No	Specify the number of hashes to return.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes
Threat Actor
CVE

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
"{}_hashes".format(subtype): ["md5hash_1"],
"all_hashes": ["md5hash_1"]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Siemplify ThreatFuse" If no hashes are found (is_success=false): "No related hashes were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Siemplify ThreatFuse"

If no hashes are found (is_success=false): "No related hashes were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Get Related URLs

Description

Retrieve entity related URLs based on the associations in Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold. Maximum: 100
Search Threat Bulletins	Checkbox	Checked	No	If enabled, the action searches among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, the action searches among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, the action searches among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, the action searches campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, the action searches among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, the action searches among identities.
Search Incidents	Checkbox	Checked	No	If enabled, the action searches among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, the action searches among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, the action searches among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, the action searches among malware.
Search Signatures	Checkbox	Checked	No	If enabled, the action searches among signatures.
Search Tools	Checkbox	Checked	No	If enabled, the action searches among tools.
Search TTPs	Checkbox	Checked	No	If enabled, the action searches among TTPs.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, the action searches among vulnerabilities.
Max URLs To Return	Integer	50	No	Specify the number of URLs to return.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes
Threat Actor
CVE

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one URL across entities is found (is_success=true): "Successfully retrieved related urls from Siemplify ThreatFuse." If no hashes are found (is_success=false): "No related urls were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related URLs". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one URL across entities is found (is_success=true): "Successfully retrieved related urls from Siemplify ThreatFuse."

If no hashes are found (is_success=false): "No related urls were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related URLs". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Get Related Domains

Description

Retrieve entity related domains based on the associations in Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold. Maximum: 100
Search Threat Bulletins	Checkbox	Checked	No	If enabled, the action searches among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, the action searches among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, the action searches among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, the action searches campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, the action searches among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, the action searches among identities.
Search Incidents	Checkbox	Checked	No	If enabled, the action searches among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, the action searches among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, the action searches among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, the action searches among malware.
Search Signatures	Checkbox	Checked	No	If enabled, the action searches among signatures.
Search Tools	Checkbox	Checked	No	If enabled, the action searches among tools.
Search TTPs	Checkbox	Checked	No	If enabled, the action searches among TTPs.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, the action searches among vulnerabilities.
Max Domains To Return	Integer	50	No	Specify the number of domains to return.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes
Threat Actor
CVE

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
"domains": ["www.google.com"]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related domains from Siemplify ThreatFuse." If no hashes are found (issuccess=false): "No related domains were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Domains". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related domains from Siemplify ThreatFuse."

If no hashes are found (issuccess=false): "No related domains were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Domains". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Get Related Email Addresses

Description

Retrieve entity related email addresses based on the associations in Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold. Maximum: 100
Search Threat Bulletins	Checkbox	Checked	No	If enabled, the action searches among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, the action searches among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, the action searches among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, the action searches campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, the action searches among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, the action searches among identities.
Search Incidents	Checkbox	Checked	No	If enabled, the action searches among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, the action searches among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, the action searches among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, the action searches among malware.
Search Signatures	Checkbox	Checked	No	If enabled, the action searches among signatures.
Search Tools	Checkbox	Checked	No	If enabled, the action searches among tools.
Search TTPs	Checkbox	Checked	No	If enabled, the action searches among TTPs.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, the action searches among vulnerabilities.
Max Domains To Return	Integer	50	No	Specify the number of domains to return.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes
Threat Actor
CVE

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related email addresses from Siemplify ThreatFuse." If no hashes are found (issuccess=false): "No related email addresses were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Email Addresses". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in range 0-100: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related email addresses from Siemplify ThreatFuse."

If no hashes are found (issuccess=false): "No related email addresses were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Email Addresses". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in range 0-100: "'Confidence Threshold' value should be in range from 0 to 100."

General

Get Related IPs

Description

Retrieve entity related IP addresses based on the associations in Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Confidence Threshold	Integer	N/A	Yes	Specify the confidence threshold. Maximum: 100
Search Threat Bulletins	Checkbox	Checked	No	If enabled, the action searches among threat bulletins.
Search Actors	Checkbox	Checked	No	If enabled, the action searches among actors.
Search Attack Patterns	Checkbox	Checked	No	If enabled, the action searches among attack patterns.
Search Campaigns	Checkbox	Checked	No	If enabled, the action searches campaigns.
Search Courses Of Action	Checkbox	Checked	No	If enabled, the action search among courses of action.
Search Identities	Checkbox	Checked	No	If enabled, the action searches among identities.
Search Incidents	Checkbox	Checked	No	If enabled, the action searches among incidents.
Search Infrastructures	Checkbox	Checked	No	If enabled, the action searches among infrastructures.
Search Intrusion Sets	Checkbox	Checked	No	If enabled, the action searches among intrusion sets.
Search Malware	Checkbox	Checked	No	If enabled, the action searches among malware.
Search Signatures	Checkbox	Checked	No	If enabled, the action searches among signatures.
Search Tools	Checkbox	Checked	No	If enabled, the action searches among tools.
Search TTPs	Checkbox	Checked	No	If enabled, the action searches among TTPs.
Search Vulnerabilities	Checkbox	Checked	No	If enabled, the action searches among vulnerabilities.
Max Domains To Return	Integer	50	No	Specify the number of domains to return.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes
Threat Actor
CVE

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}

Case Wall

Result Type	Value / Description	Type
Output message\*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related IPs from Siemplify ThreatFuse." If no hashes are found (is_success=false): "No related IPs were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related IPs". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."	General

Result Type

Value / Description

Type

Output message\*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related IPs from Siemplify ThreatFuse."

If no hashes are found (is_success=false): "No related IPs were found."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related IPs". Reason: {0}''.format(error.Stacktrace)

If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."

General

Get Related Associations

Description

Retrieve entity related associations from Siemplify ThreatFuse.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Return Campaigns	Checkbox	Checked	No	If enabled, the action fetches related campaigns and details about them.
Return Threat Bulletins	Checkbox	Unchecked	No	If enabled, the action fetches related threat bulletins and details about them.
Return Actors	Checkbox	Unchecked	No	If enabled, the action fetches related actors and details about them.
Return Attack Patterns	Checkbox	Unchecked	No	If enabled, the action fetches related attack patterns and details about them.
Return Courses Of Action	Checkbox	Unchecked	No	If enabled, the action fetches related courses of action and details about them.
Return Identities	Checkbox	Unchecked	No	If enabled, the action fetches related identities and details about them.
Return Incidents	Checkbox	Unchecked	No	If enabled, the action fetches related incidents and details about them.
Return Infrastructure	Checkbox	Unchecked	No	If enabled, the action fetches related infrastructure and details about them.
Return Intrusion Sets	Checkbox	Unchecked	No	If enabled, the action fetches related intrusion sets and details about them.
Return Malware	Checkbox	Unchecked	No	If enabled, the action fetches related malware and details about them.
Return Signatures	Checkbox	Unchecked	No	If enabled, the action fetches related signatures and details about them.
Return Tools	Checkbox	Unchecked	No	If enabled, the action fetches related tools and details about them.
Return TTPs	Checkbox	Unchecked	No	If enabled, the action fetches related TTPs and details about them.
Return Vulnerabilities	Checkbox	Checked	No	If enabled, the action fetches related vulnerabilities and details about them.
Create Campaign Entity	Checkbox	Unchecked	No	If enabled, the action creates an entity out of available "Campaign" associations.
Create Actors Entity	Checkbox	Unchecked	No	If enabled, the action creates an entity out of available "Actor" associations.
Create Signature Entity	Checkbox	Unchecked	No	If enabled, the action creates an entity out of available "Signature" associations.
Create Vulnerability Entity	Checkbox	Unchecked	No	If enabled, the action creates an entity out of available "Vulnerability" associations.
Create Insight	Checkbox	Checked	No	If enabled, the action creates an insight based on the results.
Create Case Tag	Checkbox	Checked	No	If enabled, the action creates case tags based on the results.
Max Associations To Return	Integer	N/A	No	Specify the number of associations to return per type.
Max Statistics To Return	Integer	3	No	Specify the number of top statistics results regarding IOCs to return. Note: The action processes the maximum of 1000 IOCs related to the association. If you provide "0", the action does not try to fetch statistics information.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes

Action Results

Script result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

{
    "campaign": [
        {
            "name": "Coronavirus",
            "id": 1
        },
        {
            "name": "Bad campaign",
            "id": 2
        }
    ],
    "actor": [
        {
            "name": "Actor 1",
            "id": 1
        },
        {
            "name": "Actor 2",
            "id": 2
        }
    ],
    "attackpattern": [
        {
            "name": "Pattern 1",
            "id": 1
        },
        {
            "name": "Pattern 2",
            "id": 2
        }
    ],
    "courseofaction": [
        {
            "name": "Course of Action 1",
            "id": 1
        },
        {
            "name": "Course Of Action 2",
            "id": 2
        }
    ],
    "identity": [
        {
            "name": "Identity 1",
            "id": 1
        },
        {
            "name": "Identity 2",
            "id": 2
        }
    ],
    "incident": [
        {
            "name": "Incident 1",
            "id": 1
        },
        {
            "name": "Incident 2",
            "id": 2
        }
    ],
    "infrastructure": [
        {
            "name": "Infrustructure 1",
            "id": 1
        },
        {
            "name": "Infrustructure 2",
            "id": 2
        }
    ],
    "intrusionset": [
        {
            "name": "Intrusion set 1",
            "id": 1
        },
        {
            "name": "Intrusion set 2",
            "id": 2
        }
    ],
    "malware": [
        {
            "name": "Malware 1",
            "id": 1
        },
        {
            "name": "Malware 2",
            "id": 2
        }
    ],
    "signature": [
        {
            "name": "Signature 1",
            "id": 1
        },
        {
            "name": "Signature 2",
            "id": 2
        }
    ],
    "tool": [
        {
            "name": "Tool 1",
            "id": 1
        },
        {
            "name": "Tool 2",
            "id": 2
        }
    ],
    "ttp": [
        {
            "name": "TTP 1",
            "id": 1
        },
        {
            "name": "TTP 2",
            "id": 2
        }
    ],
    "vulnerability": [
        {
            "name": "Vulnerability 1",
            "id": 1
        },
        {
            "name": "Vulnerability 2",
            "id": 2
        }
    ],
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Siemplify ThreatFuse" If no associations are found (is_success=false): "No related associations were found." Async Message: Waiting for all of the association details to be retrieved" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)	General
CSV	Name: "Related Associations" Columns: ID Name Type (association name) Status (mapped as status/display_name)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Siemplify ThreatFuse"

If no associations are found (is_success=false): "No related associations were found."

Async Message: Waiting for all of the association details to be retrieved"

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)

General

CSV

Name: "Related Associations"

Columns:

ID
Name
Type (association name)
Status (mapped as status/display_name)

General

Submit Observables

Description

Submit an observable to Siemplify ThreatFuse based on the IP, URL, Hash, Email entities.

Where to find trusted circle IDs

To find the ID of a trusted circle, locate the trusted circle on Siemplify ThreatFuse, and click on its name. The URL displayed in the address bar shows the ID.

For example: https://siemplify.threatstream.com/search?trustedcircles=13.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Classification	DDL	Private Possible Values: Public Private	Yes	Specify the classification of the observable.
Threat Type	DDL	APT Possible Values APT Adware Anomalous Anomyzation Bot Brute C2 Compromised Crypto Data Leakage DDOS Dynamic DNS Exfil Exploit Fraud Hacking Tool I2P Informational Malware P2 Parked Phish Scan Sinkhole Social Spam Suppress Suspicious TOR VPS	Yes	Specify the threat type for the observables.
Source	String	Siemplify	No	Specify the intelligence source for the observable.
Expiration Date	Integer	N/A	No	Specify the expiration date in days for the observable. If nothing is specified here, the action creates an observable that never expires.
Trusted Circle IDs	CSV	N/A	No	Specify a comma-separated list of trusted circle IDs. Observables are shared with those trusted circles.
TLP	DDL	Select One Possible Values: Select One Red Green Amber White	No	Specify the TLP for your observables.
Confidence	Integer	N/A	No	Specify what should be the confidence for the observable. Note: This parameter only works, if you create observables in your organization and the "Override System Confidence" parameter is enabled.
Override System Confidence	Checkbox	Unchecked	No	If enabled, created observables has the confidence specified in the "Confidence" parameter. Note: You can't share observables in trusted circles and publicly, when this parameter is enabled.
Anonymous Submission	Checkbox	Unchecked	No	If enabled, the action makes an anonymous submission.
Tags	CSV	N/A	No	Specify a comma-separated list of tags that you want to add to observable.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success=False

JSON Result

approved_jobs = [
    {
        "id": 123123,
        "entity": {entity.identifier}
    }
]
    jobs_with_excluded_entities = [
    {
        "id": 123123,
        "entity": {entity.identifier}
    }
]

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully submitted and approved the following entities in Siemplify ThreatFuse:\n{0}".format(entity.identifier list) If fail for some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (is_success=false): "No entities were successfully submitted to Siemplify ThreatFuse." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit Observable". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Submit Observable". Reason: {0}''.format(message)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully submitted and approved the following entities in Siemplify ThreatFuse:\n{0}".format(entity.identifier list)

If fail for some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Siemplify ThreatFuse\n: {0}".format([entity.identifier])

If fail to enrich for all entities (is_success=false): "No entities were successfully submitted to Siemplify ThreatFuse."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit Observable". Reason: {0}''.format(error.Stacktrace)

If the 400 status code is reported: "Error executing action "Submit Observable". Reason: {0}''.format(message)

General

Report As False Positive

Description

Report entities in Siemplify ThreatFuse as false positive.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Reason	String	N/A	Yes	Specify the reason why you want to mark entities as false positive.
Comment	String	N/A	Yes	Specify additional information related to your decision regarding marking the entity as false positive.

Run On

This action runs on the following entities:

Hash
IP Address
URL
User Name with Email regexes

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Siemplify ThreatFuse:\n{0}".format(entity.identifier list) If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (issuccess=false): "No entities were reported as false positive." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Siemplify ThreatFuse:\n{0}".format(entity.identifier list)

If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Siemplify ThreatFuse\n: {0}".format([entity.identifier])

If fail to enrich for all entities (issuccess=false): "No entities were reported as false positive."

The action should fail and stop a playbook execution:

If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace)

General

Connector

Configure Siemplify ThreatFuse - Observables Connector

For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.

Siemplify ThreatFuse - Observables Connector

Pull observables from Siemplify ThreatFuse.

Recommendations

When configuring connector, it is recommended to use a separate environment, so that the analysts won't be flooded with all of the speculative alerts.

Where to find trusted circle IDs

To find the ID of a trusted circle, locate the trusted circle on Siemplify ThreatFuse, and click its name. The URL displayed in the address bar shows the ID.

For example: https://siemplify.threatstream.com/search?trustedcircles=13.

Connector parameters

Use the following parameters to configure the connector:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Product Field Name	String	Product Name	Yes	Enter the source field name in order to retrieve the Product Field name.
Event Field Name	String	type	Yes	Enter the source field name in order to retrieve the Event Field name.
Environment Field Name	String	""	No	Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment.
Environment Regex Pattern	String	.*	No	A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Script Timeout (Seconds)	Integer	300	Yes	Timeout limit for the python process running the current script.
API Root	String	https://api.threat stream.com	Yes	API root of the Siemplify ThreatFuse instance.
Email Address	String	N/A	Yes	Email address of the Siemplify ThreatFuse account.
API Key	Password	N/A	Yes	API Key of the Siemplify ThreatFuse account.
Lowest Severity To Fetch	String	High	Yes	Lowest severity that will be used to fetch observables. Possible values: Low Medium High Very-High
Lowest Confidence To Fetch	Integer	50	Yes	Lowest confidence that will be used to fetch observables. Maximum is 100.
Source Feed Filter	CSV	N/A	No	Comma-separated list of feed ids that should be used to ingest observables. Example: 515,4129
Observable Type Filter	CSV	url, domain, email, hash, ip, ipv6	No	Comma-separated list of observable types that should be ingested. Example: url, domain Possible values: url, domain, email, hash, ip, ipv6
Observable Status Filter	CSV	active	No	Comma-separated list of observable status that should be used to ingest new data. Example: active,inactive Possible values: active,inactive,falsepos
Threat Type Filter	CSV	N/A	No	Comma-separated list of threat types that should be used to ingest observables. Example: аdware,anomalous,anonymization,apt Possible values: аdware,anomalous,anonymization, apt,bot,brute,c2,compromised, crypto,data_leakage,ddos,dyn_dns,exfil, exploit,fraud,hack_tool,i2p,informational, malware,p2p,parked,phish,scan,sinkhole,spam, suppress,suspicious,tor,vps
Trusted Circle Filter	CSV	N/A	No	Comma-separated list of trusted circle ids that should be used to ingest observables. Example: 146,147
Tag Name Filter	CSV	N/A	No	Comma-separated list of tag names associated with observables that should be used with ingestion. Example: Microsoft Credentials, Phishing.
Source Feed Grouping	Checkbox	Unchecked	No	If enabled, the connector will group observables from the same source under the same Siemplify Alert.
Fetch Max Days Backwards	Integer	1	No	Amount of days from where to fetch observables.
Max Observables Per Alert	Integer	100	No	How many observables should be a part of one Siemplify Alert. Maximum is 200.
Use whitelist as a blacklist	Checkbox	Unchecked	Yes	If enabled, dynamic list will be used as a blocklist.
Verify SSL	Checkbox	Unchecked	Yes	If enabled, verify the SSL certificate for the connection to the Siemplify Threatfuse server is valid.
Proxy Server Address	String	N/A	No	The address of the proxy server to use.
Proxy Username	String	N/A	No	The proxy username to authenticate with.
Proxy Password	Password	N/A	No	The proxy password to authenticate with.

Connector rules

Proxy support

The connector supports proxy.