Talos ThreatSource
Integration version: 17.0
Configure Talos ThreatSource integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Get Reputation
Description
Get the reputation and details of an IP Address or a domain.
Parameters
This action has no input parameters.
Use cases
This action has no use cases.
Run On
This action runs on the following entities:
- IP Address
- Hostname
- URL
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"1.1.1.1": {
"reputation": {
"domain": "one.one.one",
"daychange": 43.0,
"web_score": "",
"ip": "1.1.1.1",
"dnsmatch": 1,
"display_ipv6_volume": "false",
"daily_spam_name": "None",
"daily_spam_level": 0,
"category": {
"description": "Infrastructure and Content Delivery Networks",
"long_description": "Content delivery infrastructure and dynamically generated content; websites that cannot be classified more specifically because they are secured or otherwise difficult to classify."
},
"daily_mag": 3.8307894844544057,
"monthly_spam_level": 0,
"hostname": "one.one.one.one",
"monthly_spam_name": "None",
"talos_url": "https://www.talosintelligence.com/reputation_center/lookup?search=1.1.1.1",
"blacklists": {
"cbl.abuseat.org": {
"rules": [],
"lookup_uri": "http://cbl.abuseat.org/lookup.cgi?ip=1.1.1.1"
},
"pbl.spamhaus.org": {
"rules": [],
"lookup_uri": "http://www.spamhaus.org/query/bl?ip=1.1.1.1"
},
"sbl.spamhaus.org": {
"rules": [],
"lookup_uri": "http://www.spamhaus.org/query/bl?ip=1.1.1.1"
},
"bl.spamcop.net": {
"rules": [],
"lookup_uri": "http://spamcop.net/w3m?action=checkblock&ip=1.1.1.1"
}},
"talos_blacklist": {
"entry": {
"first_seen": "2013-04-10T10:05:01",
"classifications": ["malware"],
"expiration": "2014-12-17T19:09:58"
}},
"cidr": "false",
"email_score": "",
"email_score_name": "Good",
"web_score_name": "Neutral",
"organization": "CloudFlare",
"monthly_mag": "3.692884173719037"
},
"location": {
"map": "null",
"country": "Australia",
"locations": [{
"latitude": -33.494,
"ips": {
"good": [{
"ip": "1.1.1.1",
"magnitude": 3.692884173719037
}]},
"longitude": 143.2104
}],
"country_code": "AU",
"country_flag": "/images/flags/AU.png",
"cities": [{
"country": "Australia",
"name": "NULL",
"country_code": "AU",
"country_flag": "/images/flags/AU.png"
}]}}},
"Entity": "test"
}
]
Entity Enrichment
Enrichment Field Name | Logic - When to apply |
---|---|
Talos_reputation | Returns if it exists in JSON result |
Talos_domain | Returns if it exists in JSON result |
Talos_daychange | Returns if it exists in JSON result |
Talos_web_score | Returns if it exists in JSON result |
Talos_ip | Returns if it exists in JSON result |
Talos_dnsmatch | Returns if it exists in JSON result |
Talos_display_ipv6_volume | Returns if it exists in JSON result |
Talos_daily_spam_name | Returns if it exists in JSON result |
Talos_daily_spam_level | Returns if it exists in JSON result |
Talos_category | Returns if it exists in JSON result |
Talos_description | Returns if it exists in JSON result |
Talos_daily_mag | Returns if it exists in JSON result |
Talos_monthly_spam_level | Returns if it exists in JSON result |
Talos_hostname | Returns if it exists in JSON result |
Talos_monthly_spam_name | Returns if it exists in JSON result |
Talos_url | Returns if it exists in JSON result |
Talos_blacklists | Returns if it exists in JSON result |
Talos_rules | Returns if it exists in JSON result |
Talos_lookup_uri | Returns if it exists in JSON result |
Talos_idr | Returns if it exists in JSON result |
Talos_email_score | Returns if it exists in JSON result |
Talos_email_score_name | Returns if it exists in JSON result |
Talos_web_score_name | Returns if it exists in JSON result |
Talos_organization | Returns if it exists in JSON result |
Talos_monthly_mag | Returns if it exists in JSON result |
Talos_location | Returns if it exists in JSON result |
Talos_magnitude | Returns if it exists in JSON result |
Talos_longitude | Returns if it exists in JSON result |
Talos_country_code | Returns if it exists in JSON result |
Talos_country_flag | Returns if it exists in JSON result |
Talos_cities | Returns if it exists in JSON result |
Insights
N/A
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success = true): "Successfully enriched the following entities using information from Talos ThreatSource: {entity.identifier}". If data is not available for one entity (is_success=true): "Action wasn't able to enrich the following entities using information from Talos ThreatSource: {entity.identifier}". If data is not available for all entities (is_success=false): "None of the provided entities were enriched." The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Reputation". Reason: {0}''.format(error.Stacktrace) |
General |
Case Wall Table | Table Name: {entity.identifier} Table Columns:
|
Entity |
Ping
Description
Verifies that the user has a connection to Talos ThreatSource through the user's device.
Parameters
This action has no input parameters.
Use cases
This action has no use cases.
Run On
This action runs on all entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
WhoIs
Description
Retrieve Whois information about entities using Talos ThreatSource.
Parameters
This action has no input parameters.
Use cases
This action has no use cases.
Run On
This action runs on the IP Address, Hostname, URL entities.
Action Results
Script Result
Script Result Name | Value Options | Example |
---|---|---|
is_success | True/False | is_success:False |
JSON Result
N/A
Entity Enrichment
N/A
Insights
N/A
Case Wall
Result type | Value/Description | Type |
---|---|---|
Output message* | The action should not fail nor stop a playbook execution: If data is available for one entity (is_success = true): "Successfully returned Whois information about the following entities using information from Talos ThreatSource: {entity.identifier}". If "error" is in the response for one entity (is_success=true): "Action wasn't able to return Whois information about the following entities using information from Talos ThreatSource: {entity.identifier}". If "error" is in the response (is_success=false): "No Whois information was found for the provided entities." The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Whois". Reason: {0}''.format(error.Stacktrace) |
General |