ThreatConnect
Integration version: 10.0
Configure ThreatConnect to work with Google Security Operations SOAR
Organization Settings: Membership
To obtain your API Access ID, Secret Key, and set up a Default API Organization, first you'll have to add an API user in the organization. These configurations are to be found in Settings > Org Settings in your ThreatConnect Interface.
Creating an API User
- Click the Create API User button on the Membership tab of the Organization Settings screen.
Fill in the following fields in order to create and configure the API user account:
- First Name: Enter the API user's first name.
- Last Name: Enter the API user's last name.
- Include in Observations and False Positives: Check this box to allow data provided by the API user to be included in observation and false-positive counts. See Reporting False Positives for more information.
- Disabled: Click the checkbox to disable an API user's account in the event that the Administrator wishes to retain log integrity when the API user no longer requires ThreatConnect access.
Record the Secret Key, as it will not be accessible after the window is closed.
Click the SAVE button to create the API user account.
Configure ThreatConnect integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Actions
Enrich Entities
Description
Enrich IP addresses, hosts, URLs, and hashes with information from ThreatConnect.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
| Owner Name | String | N/A | Owner name to fetch the data from. |
Run On
This action runs on the following entities:
- IP Address
- Filehash
- URL
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| securityLabels | Returns if it exists in JSON result |
| owners | Returns if it exists in JSON result |
| victims | Returns if it exists in JSON result |
| tags | Returns if it exists in JSON result |
| general | Returns if it exists in JSON result |
| observations | Returns if it exists in JSON result |
| groups | Returns if it exists in JSON result |
| indicators | Returns if it exists in JSON result |
| attributes | Returns if it exists in JSON result |
| observationCount | Returns if it exists in JSON result |
| victimAsset | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_enriched | True/False | is_enriched:False |
JSON Result
[
{
"EntityResult": {
"securityLabels": {
"securityLabel": [],
"resultCount": 0
},
"owners": {
"owner": [{
"type": "Organization",
"id": 440,
"name": "S"
}]},
"victims": {
"resultCount": 0,
"victim": []
},
"tags": [
"C2",
"Malware"
],
"general": {
"url": {
"rating": 5.0,
"confidence": 100,
"dateAdded": "2018-01-09T20: 12: 11Z",
"description": "URLAssociatedwithCryptoLockerC2Servers",
"threatAssessConfidence": 93.33,
"lastModified": "2018-01-09T20: 13: 24Z",
"threatAssessRating": 4.33,
"webLink": "https: //sandbox.threatconnect.com/auth/indicators/details/url.xhtml?orgid=43743075&owner=S",
"text": "http: //markossolomon.com/f1q7qx.php",
"owner": {
"type": "Organization",
"id": 440,
"name": "S"
},
"id": 43743075
}},
"observations": {
"resultCount": 0,
"observation": []
},
"groups": null,
"indicators": {
"indicator": [],
"resultCount": 0
},
"attributes": {
"Description": ["URLAssociatedwithCryptoLockerC2Servers"]
},
"observationCount": {
"observationCount":
{
"count": 0
}},
"victimAssets": {
"victimAsset": [],
"resultCount": 0
}},
"Entity": "HTTP: //MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
N/A