Siemplify ThreatFuse
Integration version: 12.0
Configure Siemplify ThreatFuse integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Web Root | String | https://siemplify.threatstream.com | Yes | Web Root of the Siemplify ThreatFuse instance. This parameter is used for creating report links across integration items. |
| API Root | String | https://api.threatstream.com | Yes | API Root of the Siemplify ThreatFuse instance. |
| Email Address | String | N/A | Yes | Email address of the Siemplify ThreatFuse account. |
| API Key | Password | N/A | Yes | API key of the Siemplify ThreatFuse account. |
| Verify SSL | Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Siemplify ThreatFuse server is valid. |
To obtain the API key, complete the following steps:
In your ThreatStream account settings, go to the My profile tab.
Go to the Account information section.
Copy the API Key value.
Use Cases
Enrich entities.
Actions
Ping
Description
Test connectivity to the Siemplify ThreatFuse with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.
Run On
The action idoesn't run on entities, nor has mandatory input parameters.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution:
The action should fail and stop a playbook execution:
|
General |
Enrich Entities
Description
Retrieve information about IPs, URLs, hashes, email addresses from Siemplify ThreatFuse. If multiple records are found for the same entity, the action will enrich using the latest record.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Severity Threshold | DDL | Medium Possible value:
|
Yes | Specify the severity threshold for the entity, in order to mark it as suspicious. If multiple records are found for the same entity, the action takes the highest severity out of all available records. |
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold for the entity, in order to mark it as suspicious. Maximum is 100. If multiple records are found for the entity, the action takes the average. Active records have priority. |
| Ignore False Positive Status | Checkbox | Unchecked | No | If enabled, the action ignores the false positive status and mark the entity as suspicious based on the "Severity Threshold" and "Confidence Threshold" parameters. If disabled, the action never labels false positive entities as suspicious, regardless, if they pass the "Severity Threshold" and "Confidence Threshold" conditions or not. |
| Add Threat Type To Case | Checkbox | Unchecked | No | If enabled, the action adds threat types of the entity from all records as tags to the case. Example: apt |
| Only Suspicious Entity Insight | Checkbox | Unchecked | Yes | If enabled, the action creates insight only for entities that exceeded the "Severity Threshold" and "Confidence Threshold" parameters. |
| Create Insight | Checkbox | Unchecked | Yes | If enabled, the action adds an insight per processed entity. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"objects": [
{
"status": "inactive",
"itype": "mal_md5",
"expiration_ts": "2019-02-25T08:58:58.000Z",
"ip": null,
"is_editable": false,
"feed_id": 2197,
"update_id": 3328068779,
"longitude": null,
"org": "",
"threat_type": "malware",
"workgroups": [],
"rdns": null,
"confidence": 60,
"uuid": "31d9ed97-9811-4b4b-9e2d-4b3f822eb37f",
"subtype": "MD5",
"trusted_circle_ids": [
146,
254
],
"id": 51744433673,
"source": "targetedthreats - OSINT",
"owner_organization_id": 2,
"import_session_id": null,
"latitude": null,
"type": "md5",
"sort": [
1551097291170
],
"description": null,
"tags": [
{
"id": "fvj",
"name": "Family=Code4HK"
},
{
"id": "zwz",
"name": "Report=https://malware.lu/articles/2014/09/29/analysis-of-code4hk.html"
}
],
"threatscore": 54,
"source_reported_confidence": 60,
"modified_ts": "2019-02-25T12:21:31.170Z",
"is_public": false,
"asn": "",
"created_ts": "2018-11-27T09:00:33.468Z",
"tlp": null,
"is_anonymous": false,
"country": null,
"can_add_public_tags": false,
"value": "15e5143e1c843b4836d7b6d5424fb4a5",
"retina_confidence": -1,
"meta": {
"detail2": "bifocals_deactivated_on_2019-02-25_09:30:00.127233",
"severity": "high"
},
"resource_uri": "/api/v2/intelligence/51744433673/"
"report_link": "https://siemplify.threatstream.com/detail/url/http:%2F%2Fsweetpineapple.co.za%2Fwp-admin%2Fuser%2Finternetbanking.suncorpbank.htm"
},
{
"status": "active",
"itype": "apt_md5",
"expiration_ts": "9999-12-31T00:00:00+00:00",
"ip": null,
"is_editable": false,
"feed_id": 191,
"update_id": 5406560,
"value": "15e5143e1c843b4836d7b6d5424fb4a5",
"is_public": true,
"threat_type": "apt",
"workgroups": [],
"rdns": null,
"confidence": 90,
"uuid": null,
"retina_confidence": -1,
"trusted_circle_ids": null,
"id": 5406560,
"source": "SLC Alert Malware Domains",
"owner_organization_id": 736,
"import_session_id": null,
"latitude": null,
"type": "md5",
"sort": [
1421928716491
],
"description": null,
"tags": [
{
"name": "HITRUST"
},
{
"name": "Public-Threats"
}
],
"threatscore": 77,
"source_reported_confidence": 60,
"modified_ts": "2015-01-22T12:11:56.491Z",
"org": "",
"asn": "",
"created_ts": "2015-01-22T12:11:56.491Z",
"tlp": null,
"is_anonymous": null,
"country": null,
"can_add_public_tags": true,
"longitude": null,
"subtype": "MD5",
"meta": {
"severity": "high",
"detail": "Public Threats,HITRUST"
},
"resource_uri": "/api/v2/intelligence/5406560/"
},
{
"status": "active",
"itype": "apt_md5",
"expiration_ts": "9999-12-31T00:00:00+00:00",
"ip": null,
"is_editable": false,
"feed_id": 0,
"update_id": 59177,
"value": "15e5143e1c843b4836d7b6d5424fb4a5",
"is_public": true,
"threat_type": "apt",
"workgroups": [],
"rdns": null,
"confidence": 100,
"uuid": null,
"retina_confidence": -1,
"trusted_circle_ids": null,
"id": 59177,
"source": "Analyst",
"owner_organization_id": 2,
"import_session_id": 2325,
"latitude": null,
"type": "md5",
"sort": [
1412172414589
],
"description": null,
"tags": [
{
"name": "apt_md5"
},
{
"name": "CN-APT"
},
{
"name": "IOS-Malware"
},
{
"name": "LadyBoyle"
}
],
"threatscore": 85,
"source_reported_confidence": 0,
"modified_ts": "2014-10-01T14:06:54.589Z",
"org": "",
"asn": "",
"created_ts": "2014-10-01T14:06:40.858Z",
"tlp": null,
"is_anonymous": null,
"country": null,
"can_add_public_tags": false,
"longitude": null,
"subtype": "MD5",
"meta": {
"detail2": "imported by user 1",
"severity": "very-high",
"detail": "LadyBoyle, IOS Malware, CN APT"
},
"resource_uri": "/api/v2/intelligence/59177/"
}
],
"is_risky": "true"
"meta": {
"total_count": 3,
"offset": 0,
"limit": 1000,
"took": 27,
"next": null
}
}
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| TFuse_id | When available in JSON |
| TFuse_status | When available in JSON |
| TFuse_itype | When available in JSON |
| TFuse_expiration_time | When available in JSON |
| TFuse_ip | When available in JSON |
| TFuse_feed_id | When available in JSON |
| TFuse_confidence | When available in JSON |
| TFuse_uuid | When available in JSON |
| TFuse_retina_confidence | When available in JSON |
| TFuse_trusted_circle_ids | When available in JSON |
| TFuse_source | When available in JSON |
| TFuse_latitude | When available in JSON |
| TFuse_type | When available in JSON |
| TFuse_description | When available in JSON |
| TFuse_tags | When available in JSON |
| TFuse_threat_score | When available in JSON |
| TFuse_source_confidence | When available in JSON |
| TFuse_modification_time | When available in JSON |
| TFuse_org_name | When available in JSON |
| TFuse_asn | When available in JSON |
| TFuse_creation_time | When available in JSON |
| TFuse_tlp | When available in JSON |
| TFuse_country | When available in JSON |
| TFuse_longitude | When available in JSON |
| TFuse_severity | When available in JSON |
| TFuse_subtype | When available in JSON |
| TFuse_report | When available in JSON |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Siemplify ThreatFuse: \n {0}".format(entity.identifier list) If fail to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (is_success=false): "No entities were enriched." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
| CSV | Table Name: Related Analysis Links: {entity_identifier} Table Columns:
|
General |
| CSV | Keys based on the enrichment table. The No Enrichment Prefix, parameter is capitalized. |
General |
Get Related Hashes
Description
Retrieve entity related hashes based on the associations in Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold. Maximum: 100 |
| Search Threat Bulletins | Checkbox | Checked | No | If enabled, the action searches among threat bulletins. |
| Search Actors | Checkbox | Checked | No | If enabled, the action searches among actors. |
| Search Attack Patterns | Checkbox | Checked | No | If enabled, the action searches among attack patterns. |
| Search Campaigns | Checkbox | Checked | No | If enabled, the action searches campaigns. |
| Search Courses Of Action | Checkbox | Checked | No | If enabled, the action searches among courses of action. |
| Search Identities | Checkbox | Checked | No | If enabled, the action searches among identities. |
| Search Incidents | Checkbox | Checked | No | If enabled, the action searches among incidents. |
| Search Infrastructures | Checkbox | Checked | No | If enabled, the action searches among infrastructures. |
| Search Intrusion Sets | Checkbox | Checked | No | If enabled, the action searches among intrusion sets. |
| Search Malware | Checkbox | Checked | No | If enabled, the action searches among malware. |
| Search Signatures | Checkbox | Checked | No | If enabled, the action searches among signatures. |
| Search Tools | Checkbox | Checked | No | If enabled, the action searches among tools. |
| Search TTPs | Checkbox | Checked | No | If enabled, the action searches among TTPs. |
| Search Vulnerabilities | Checkbox | Checked | No | If enabled, the action searches among vulnerabilities. |
| Max Hashes To Return | Integer | 50 | No | Specify the number of hashes to return. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
- Threat Actor
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"{}_hashes".format(subtype): ["md5hash_1"],
"all_hashes": ["md5hash_1"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Siemplify ThreatFuse" If no hashes are found (is_success=false): "No related hashes were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Get Related URLs
Description
Retrieve entity related URLs based on the associations in Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold. Maximum: 100 |
| Search Threat Bulletins | Checkbox | Checked | No | If enabled, the action searches among threat bulletins. |
| Search Actors | Checkbox | Checked | No | If enabled, the action searches among actors. |
| Search Attack Patterns | Checkbox | Checked | No | If enabled, the action searches among attack patterns. |
| Search Campaigns | Checkbox | Checked | No | If enabled, the action searches campaigns. |
| Search Courses Of Action | Checkbox | Checked | No | If enabled, the action searches among courses of action. |
| Search Identities | Checkbox | Checked | No | If enabled, the action searches among identities. |
| Search Incidents | Checkbox | Checked | No | If enabled, the action searches among incidents. |
| Search Infrastructures | Checkbox | Checked | No | If enabled, the action searches among infrastructures. |
| Search Intrusion Sets | Checkbox | Checked | No | If enabled, the action searches among intrusion sets. |
| Search Malware | Checkbox | Checked | No | If enabled, the action searches among malware. |
| Search Signatures | Checkbox | Checked | No | If enabled, the action searches among signatures. |
| Search Tools | Checkbox | Checked | No | If enabled, the action searches among tools. |
| Search TTPs | Checkbox | Checked | No | If enabled, the action searches among TTPs. |
| Search Vulnerabilities | Checkbox | Checked | No | If enabled, the action searches among vulnerabilities. |
| Max URLs To Return | Integer | 50 | No | Specify the number of URLs to return. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
- Threat Actor
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one URL across entities is found (is_success=true): "Successfully retrieved related urls from Siemplify ThreatFuse." If no hashes are found (is_success=false): "No related urls were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related URLs". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Get Related Domains
Description
Retrieve entity related domains based on the associations in Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold. Maximum: 100 |
| Search Threat Bulletins | Checkbox | Checked | No | If enabled, the action searches among threat bulletins. |
| Search Actors | Checkbox | Checked | No | If enabled, the action searches among actors. |
| Search Attack Patterns | Checkbox | Checked | No | If enabled, the action searches among attack patterns. |
| Search Campaigns | Checkbox | Checked | No | If enabled, the action searches campaigns. |
| Search Courses Of Action | Checkbox | Checked | No | If enabled, the action searches among courses of action. |
| Search Identities | Checkbox | Checked | No | If enabled, the action searches among identities. |
| Search Incidents | Checkbox | Checked | No | If enabled, the action searches among incidents. |
| Search Infrastructures | Checkbox | Checked | No | If enabled, the action searches among infrastructures. |
| Search Intrusion Sets | Checkbox | Checked | No | If enabled, the action searches among intrusion sets. |
| Search Malware | Checkbox | Checked | No | If enabled, the action searches among malware. |
| Search Signatures | Checkbox | Checked | No | If enabled, the action searches among signatures. |
| Search Tools | Checkbox | Checked | No | If enabled, the action searches among tools. |
| Search TTPs | Checkbox | Checked | No | If enabled, the action searches among TTPs. |
| Search Vulnerabilities | Checkbox | Checked | No | If enabled, the action searches among vulnerabilities. |
| Max Domains To Return | Integer | 50 | No | Specify the number of domains to return. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
- Threat Actor
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"domains": ["www.google.com"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related domains from Siemplify ThreatFuse." If no hashes are found (issuccess=false): "No related domains were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Domains". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Get Related Email Addresses
Description
Retrieve entity related email addresses based on the associations in Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold. Maximum: 100 |
| Search Threat Bulletins | Checkbox | Checked | No | If enabled, the action searches among threat bulletins. |
| Search Actors | Checkbox | Checked | No | If enabled, the action searches among actors. |
| Search Attack Patterns | Checkbox | Checked | No | If enabled, the action searches among attack patterns. |
| Search Campaigns | Checkbox | Checked | No | If enabled, the action searches campaigns. |
| Search Courses Of Action | Checkbox | Checked | No | If enabled, the action searches among courses of action. |
| Search Identities | Checkbox | Checked | No | If enabled, the action searches among identities. |
| Search Incidents | Checkbox | Checked | No | If enabled, the action searches among incidents. |
| Search Infrastructures | Checkbox | Checked | No | If enabled, the action searches among infrastructures. |
| Search Intrusion Sets | Checkbox | Checked | No | If enabled, the action searches among intrusion sets. |
| Search Malware | Checkbox | Checked | No | If enabled, the action searches among malware. |
| Search Signatures | Checkbox | Checked | No | If enabled, the action searches among signatures. |
| Search Tools | Checkbox | Checked | No | If enabled, the action searches among tools. |
| Search TTPs | Checkbox | Checked | No | If enabled, the action searches among TTPs. |
| Search Vulnerabilities | Checkbox | Checked | No | If enabled, the action searches among vulnerabilities. |
| Max Domains To Return | Integer | 50 | No | Specify the number of domains to return. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
- Threat Actor
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (issuccess=true): "Successfully retrieved related email addresses from Siemplify ThreatFuse." If no hashes are found (issuccess=false): "No related email addresses were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Email Addresses". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in range 0-100: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Get Related IPs
Description
Retrieve entity related IP addresses based on the associations in Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Confidence Threshold | Integer | N/A | Yes | Specify the confidence threshold. Maximum: 100 |
| Search Threat Bulletins | Checkbox | Checked | No | If enabled, the action searches among threat bulletins. |
| Search Actors | Checkbox | Checked | No | If enabled, the action searches among actors. |
| Search Attack Patterns | Checkbox | Checked | No | If enabled, the action searches among attack patterns. |
| Search Campaigns | Checkbox | Checked | No | If enabled, the action searches campaigns. |
| Search Courses Of Action | Checkbox | Checked | No | If enabled, the action search among courses of action. |
| Search Identities | Checkbox | Checked | No | If enabled, the action searches among identities. |
| Search Incidents | Checkbox | Checked | No | If enabled, the action searches among incidents. |
| Search Infrastructures | Checkbox | Checked | No | If enabled, the action searches among infrastructures. |
| Search Intrusion Sets | Checkbox | Checked | No | If enabled, the action searches among intrusion sets. |
| Search Malware | Checkbox | Checked | No | If enabled, the action searches among malware. |
| Search Signatures | Checkbox | Checked | No | If enabled, the action searches among signatures. |
| Search Tools | Checkbox | Checked | No | If enabled, the action searches among tools. |
| Search TTPs | Checkbox | Checked | No | If enabled, the action searches among TTPs. |
| Search Vulnerabilities | Checkbox | Checked | No | If enabled, the action searches among vulnerabilities. |
| Max Domains To Return | Integer | 50 | No | Specify the number of domains to return. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
- Threat Actor
- CVE
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"urls": ["https://www.google.com/url?q=http:/wzFgw"]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message\* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related IPs from Siemplify ThreatFuse." If no hashes are found (is_success=false): "No related IPs were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related IPs". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Get Related Associations
Description
Retrieve entity related associations from Siemplify ThreatFuse.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Return Campaigns | Checkbox | Checked | No | If enabled, the action fetches related campaigns and details about them. |
| Return Threat Bulletins | Checkbox | Unchecked | No | If enabled, the action fetches related threat bulletins and details about them. |
| Return Actors | Checkbox | Unchecked | No | If enabled, the action fetches related actors and details about them. |
| Return Attack Patterns | Checkbox | Unchecked | No | If enabled, the action fetches related attack patterns and details about them. |
| Return Courses Of Action | Checkbox | Unchecked | No | If enabled, the action fetches related courses of action and details about them. |
| Return Identities | Checkbox | Unchecked | No | If enabled, the action fetches related identities and details about them. |
| Return Incidents | Checkbox | Unchecked | No | If enabled, the action fetches related incidents and details about them. |
| Return Infrastructure | Checkbox | Unchecked | No | If enabled, the action fetches related infrastructure and details about them. |
| Return Intrusion Sets | Checkbox | Unchecked | No | If enabled, the action fetches related intrusion sets and details about them. |
| Return Malware | Checkbox | Unchecked | No | If enabled, the action fetches related malware and details about them. |
| Return Signatures | Checkbox | Unchecked | No | If enabled, the action fetches related signatures and details about them. |
| Return Tools | Checkbox | Unchecked | No | If enabled, the action fetches related tools and details about them. |
| Return TTPs | Checkbox | Unchecked | No | If enabled, the action fetches related TTPs and details about them. |
| Return Vulnerabilities | Checkbox | Checked | No | If enabled, the action fetches related vulnerabilities and details about them. |
| Create Campaign Entity | Checkbox | Unchecked | No | If enabled, the action creates an entity out of available "Campaign" associations. |
| Create Actors Entity | Checkbox | Unchecked | No | If enabled, the action creates an entity out of available "Actor" associations. |
| Create Signature Entity | Checkbox | Unchecked | No | If enabled, the action creates an entity out of available "Signature" associations. |
| Create Vulnerability Entity | Checkbox | Unchecked | No | If enabled, the action creates an entity out of available "Vulnerability" associations. |
| Create Insight | Checkbox | Checked | No | If enabled, the action creates an insight based on the results. |
| Create Case Tag | Checkbox | Checked | No | If enabled, the action creates case tags based on the results. |
| Max Associations To Return | Integer | N/A | No | Specify the number of associations to return per type. |
| Max Statistics To Return | Integer | 3 | No | Specify the number of top statistics results regarding IOCs to return. Note: The action processes the maximum of 1000 IOCs related to the association. If you provide "0", the action does not try to fetch statistics information. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
Action Results
Script result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
{
"campaign": [
{
"name": "Coronavirus",
"id": 1
},
{
"name": "Bad campaign",
"id": 2
}
],
"actor": [
{
"name": "Actor 1",
"id": 1
},
{
"name": "Actor 2",
"id": 2
}
],
"attackpattern": [
{
"name": "Pattern 1",
"id": 1
},
{
"name": "Pattern 2",
"id": 2
}
],
"courseofaction": [
{
"name": "Course of Action 1",
"id": 1
},
{
"name": "Course Of Action 2",
"id": 2
}
],
"identity": [
{
"name": "Identity 1",
"id": 1
},
{
"name": "Identity 2",
"id": 2
}
],
"incident": [
{
"name": "Incident 1",
"id": 1
},
{
"name": "Incident 2",
"id": 2
}
],
"infrastructure": [
{
"name": "Infrustructure 1",
"id": 1
},
{
"name": "Infrustructure 2",
"id": 2
}
],
"intrusionset": [
{
"name": "Intrusion set 1",
"id": 1
},
{
"name": "Intrusion set 2",
"id": 2
}
],
"malware": [
{
"name": "Malware 1",
"id": 1
},
{
"name": "Malware 2",
"id": 2
}
],
"signature": [
{
"name": "Signature 1",
"id": 1
},
{
"name": "Signature 2",
"id": 2
}
],
"tool": [
{
"name": "Tool 1",
"id": 1
},
{
"name": "Tool 2",
"id": 2
}
],
"ttp": [
{
"name": "TTP 1",
"id": 1
},
{
"name": "TTP 2",
"id": 2
}
],
"vulnerability": [
{
"name": "Vulnerability 1",
"id": 1
},
{
"name": "Vulnerability 2",
"id": 2
}
],
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Siemplify ThreatFuse" If no associations are found (is_success=false): "No related associations were found." Async Message: Waiting for all of the association details to be retrieved" The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace) |
General |
| CSV | Name: "Related Associations" Columns:
|
General |
Submit Observables
Description
Submit an observable to Siemplify ThreatFuse based on the IP, URL, Hash, Email entities.
Where to find trusted circle IDs
To find the ID of a trusted circle, locate the trusted circle on Siemplify ThreatFuse, and click on its name. The URL displayed in the address bar shows the ID.
For example: https://siemplify.threatstream.com/search?trustedcircles=13.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Classification | DDL | Private Possible Values:
|
Yes | Specify the classification of the observable. |
| Threat Type | DDL | APT Possible Values
|
Yes | Specify the threat type for the observables. |
| Source | String | Siemplify | No | Specify the intelligence source for the observable. |
| Expiration Date | Integer | N/A | No | Specify the expiration date in days for the observable. If nothing is specified here, the action creates an observable that never expires. |
| Trusted Circle IDs | CSV | N/A | No | Specify a comma-separated list of trusted circle IDs. Observables are shared with those trusted circles. |
| TLP | DDL | Select One Possible Values:
|
No | Specify the TLP for your observables. |
| Confidence | Integer | N/A | No | Specify what should be the confidence for the observable. Note: This parameter only works, if you create observables in your organization and the "Override System Confidence" parameter is enabled. |
| Override System Confidence | Checkbox | Unchecked | No | If enabled, created observables has the confidence specified in the "Confidence" parameter. Note: You can't share observables in trusted circles and publicly, when this parameter is enabled. |
| Anonymous Submission | Checkbox | Unchecked | No | If enabled, the action makes an anonymous submission. |
| Tags | CSV | N/A | No | Specify a comma-separated list of tags that you want to add to observable. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success=False |
JSON Result
approved_jobs = [
{
"id": 123123,
"entity": {entity.identifier}
}
]
jobs_with_excluded_entities = [
{
"id": 123123,
"entity": {entity.identifier}
}
]
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully submitted and approved the following entities in Siemplify ThreatFuse:\n{0}".format(entity.identifier list) If fail for some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (is_success=false): "No entities were successfully submitted to Siemplify ThreatFuse." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Submit Observable". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Submit Observable". Reason: {0}''.format(message) |
General |
Report As False Positive
Description
Report entities in Siemplify ThreatFuse as false positive.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Reason | String | N/A | Yes | Specify the reason why you want to mark entities as false positive. |
| Comment | String | N/A | Yes | Specify additional information related to your decision regarding marking the entity as false positive. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
- User Name with Email regexes
Action Results
Script Result
| Script Result Name | Value Options |
|---|---|
| is_success | is_success=False |
| is_success | is_success=True |
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Siemplify ThreatFuse:\n{0}".format(entity.identifier list) If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Siemplify ThreatFuse\n: {0}".format([entity.identifier]) If fail to enrich for all entities (issuccess=false): "No entities were reported as false positive." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace) |
General |
Connector
Configure Siemplify ThreatFuse - Observables Connector
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
Siemplify ThreatFuse - Observables Connector
Pull observables from Siemplify ThreatFuse.
Recommendations
When configuring connector, it is recommended to use a separate environment, so that the analysts won't be flooded with all of the speculative alerts.
Where to find trusted circle IDs
To find the ID of a trusted circle, locate the trusted circle on Siemplify ThreatFuse, and click its name. The URL displayed in the address bar shows the ID.
For example: https://siemplify.threatstream.com/search?trustedcircles=13.
Connector parameters
Use the following parameters to configure the connector:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | Product Name | Yes | Enter the source field name in order to retrieve the Product Field name. |
| Event Field Name | String | type | Yes | Enter the source field name in order to retrieve the Event Field name. |
| Environment Field Name | String | "" | No | Describes the name of the field where the environment name is stored. If the environment field isn't found, the environment is the default environment. |
Environment Regex Pattern |
String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. Default is .* to catch all and return the value unchanged. Used to allow the user to manipulate the environment field via regex logic. If the regex pattern is null or empty, or the environment value is null, the final environment result is the default environment. |
| Script Timeout (Seconds) | Integer | 300 | Yes | Timeout limit for the python process running the current script. |
| API Root | String | https://api.threat |
Yes | API root of the Siemplify ThreatFuse instance. |
| Email Address | String | N/A | Yes | Email address of the Siemplify ThreatFuse account. |
| API Key | Password | N/A | Yes | API Key of the Siemplify ThreatFuse account. |
| Lowest Severity To Fetch | String | High | Yes | Lowest severity that will be used to fetch observables. Possible values: Medium High Very-High |
| Lowest Confidence To Fetch | Integer | 50 | Yes | Lowest confidence that will be used to fetch observables. Maximum is 100. |
| Source Feed Filter | CSV | N/A | No | Comma-separated list of feed ids that should be used to ingest observables. Example: 515,4129 |
| Observable Type Filter | CSV | url, domain, email, hash, ip, ipv6 | No | Comma-separated list of observable types that should be ingested. Example: url, domain Possible values: url, domain, email, hash, ip, ipv6 |
| Observable Status Filter | CSV | active | No | Comma-separated list of observable status that should be used to ingest new data. Example: active,inactive Possible values: active,inactive,falsepos |
| Threat Type Filter | CSV | N/A | No | Comma-separated list of threat types that should be used to ingest observables. Example: аdware,anomalous,anonymization,apt Possible values: |
| Trusted Circle Filter | CSV | N/A | No | Comma-separated list of trusted circle ids that should be used to ingest observables. Example: 146,147 |
| Tag Name Filter | CSV | N/A | No | Comma-separated list of tag names associated with observables that should be used with ingestion. Example: Microsoft Credentials, Phishing. |
| Source Feed Grouping | Checkbox | Unchecked | No | If enabled, the connector will group observables from the same source under the same Siemplify Alert. |
| Fetch Max Days Backwards | Integer | 1 | No | Amount of days from where to fetch observables. |
| Max Observables Per Alert | Integer | 100 | No | How many observables should be a part of one Siemplify Alert. Maximum is 200. |
| Use whitelist as a blacklist | Checkbox | Unchecked | Yes | If enabled, dynamic list will be used as a blocklist. |
| Verify SSL | Checkbox | Unchecked | Yes | If enabled, verify the SSL certificate for the connection to the Siemplify Threatfuse server is valid. |
| Proxy Server Address | String | N/A | No | The address of the proxy server to use. |
| Proxy Username | String | N/A | No | The proxy username to authenticate with. |
| Proxy Password | Password | N/A | No | The proxy password to authenticate with. |
Connector rules
Proxy support
The connector supports proxy.