Talos ThreatSource

Integration version: 17.0

Configure Talos ThreatSource integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Actions

Get Reputation

Description

Get the reputation and details of an IP Address or a domain.

Parameters

This action has no input parameters.

Use cases

This action has no use cases.

Run On

This action runs on the following entities:

  • IP Address
  • Hostname
  • URL

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
[
    {
        "EntityResult": {
            "1.1.1.1": {
                "reputation": {
                    "domain": "one.one.one",
                    "daychange": 43.0,
                    "web_score": "",
                    "ip": "1.1.1.1",
                    "dnsmatch": 1,
                    "display_ipv6_volume": "false",
                    "daily_spam_name": "None",
                    "daily_spam_level": 0,
                    "category": {
                        "description": "Infrastructure and Content Delivery Networks",
                        "long_description": "Content delivery infrastructure and dynamically generated content; websites that cannot be classified more specifically because they are secured or otherwise difficult to classify."
                    },
                    "daily_mag": 3.8307894844544057,
                    "monthly_spam_level": 0,
                    "hostname": "one.one.one.one",
                    "monthly_spam_name": "None",
                    "talos_url": "https://www.talosintelligence.com/reputation_center/lookup?search=1.1.1.1",
                    "blacklists": {
                        "cbl.abuseat.org": {
                            "rules": [],
                            "lookup_uri": "http://cbl.abuseat.org/lookup.cgi?ip=1.1.1.1"
                        },
                        "pbl.spamhaus.org": {
                            "rules": [],
                            "lookup_uri": "http://www.spamhaus.org/query/bl?ip=1.1.1.1"
                        },
                        "sbl.spamhaus.org": {
                            "rules": [],
                            "lookup_uri": "http://www.spamhaus.org/query/bl?ip=1.1.1.1"
                        },
                        "bl.spamcop.net": {
                            "rules": [],
                            "lookup_uri": "http://spamcop.net/w3m?action=checkblock&ip=1.1.1.1"
                        }},
                    "talos_blacklist": {
                        "entry": {
                            "first_seen": "2013-04-10T10:05:01",
                            "classifications": ["malware"],
                            "expiration": "2014-12-17T19:09:58"
                        }},
                    "cidr": "false",
                    "email_score": "",
                    "email_score_name": "Good",
                    "web_score_name": "Neutral",
                    "organization": "CloudFlare",
                    "monthly_mag": "3.692884173719037"
                },
                "location": {
                    "map": "null",
                    "country": "Australia",
                    "locations": [{
                        "latitude": -33.494,
                        "ips": {
                            "good": [{
                                "ip": "1.1.1.1",
                                "magnitude": 3.692884173719037
                            }]},
                        "longitude": 143.2104
                    }],
                    "country_code": "AU",
                    "country_flag": "/images/flags/AU.png",
                    "cities": [{
                        "country": "Australia",
                        "name": "NULL",
                        "country_code": "AU",
                        "country_flag": "/images/flags/AU.png"
                    }]}}},
        "Entity": "test"
    }
]
Entity Enrichment
Enrichment Field Name Logic - When to apply
Talos_reputation Returns if it exists in JSON result
Talos_domain Returns if it exists in JSON result
Talos_daychange Returns if it exists in JSON result
Talos_web_score Returns if it exists in JSON result
Talos_ip Returns if it exists in JSON result
Talos_dnsmatch Returns if it exists in JSON result
Talos_display_ipv6_volume Returns if it exists in JSON result
Talos_daily_spam_name Returns if it exists in JSON result
Talos_daily_spam_level Returns if it exists in JSON result
Talos_category Returns if it exists in JSON result
Talos_description Returns if it exists in JSON result
Talos_daily_mag Returns if it exists in JSON result
Talos_monthly_spam_level Returns if it exists in JSON result
Talos_hostname Returns if it exists in JSON result
Talos_monthly_spam_name Returns if it exists in JSON result
Talos_url Returns if it exists in JSON result
Talos_blacklists Returns if it exists in JSON result
Talos_rules Returns if it exists in JSON result
Talos_lookup_uri Returns if it exists in JSON result
Talos_idr Returns if it exists in JSON result
Talos_email_score Returns if it exists in JSON result
Talos_email_score_name Returns if it exists in JSON result
Talos_web_score_name Returns if it exists in JSON result
Talos_organization Returns if it exists in JSON result
Talos_monthly_mag Returns if it exists in JSON result
Talos_location Returns if it exists in JSON result
Talos_magnitude Returns if it exists in JSON result
Talos_longitude Returns if it exists in JSON result
Talos_country_code Returns if it exists in JSON result
Talos_country_flag Returns if it exists in JSON result
Talos_cities Returns if it exists in JSON result
Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success = true): "Successfully enriched the following entities using information from Talos ThreatSource: {entity.identifier}".

If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Talos ThreatSource: {entity.identifier}".

If data is not available for all entities (is_success=false): "None of the provided entities were enriched."

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Reputation". Reason: {0}''.format(error.Stacktrace)

General
Case Wall Table

Table Name: {entity.identifier}

Table Columns:

  • Key
  • Value
Entity

Ping

Description

Verifies that the user has a connection to Talos ThreatSource through the user's device.

Parameters

This action has no input parameters.

Use cases

This action has no use cases.

Run On

This action runs on all entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

WhoIs

Description

Retrieve Whois information about entities using Talos ThreatSource.

Parameters

This action has no input parameters.

Use cases

This action has no use cases.

Run On

This action runs on the IP Address, Hostname, URL entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
N/A
Entity Enrichment

N/A

Insights

N/A

Case Wall
Result type Value/Description Type
Output message*

The action should not fail nor stop a playbook execution:

If data is available for one entity (is_success = true): "Successfully returned Whois information about the following entities using information from Talos ThreatSource: {entity.identifier}".

If "error" is in the response for one entity (is_success=true): "Action wasn't able to return Whois information about the following entities using information from Talos ThreatSource: {entity.identifier}".

If "error" is in the response (is_success=false): "No Whois information was found for the provided entities."

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Whois". Reason: {0}''.format(error.Stacktrace)

General