ThreatQ
Integration version: 12.0
Release Notes
Customers who have a PS version of the ThreatQ integration will have to update their playbooks to align with the new integration version. "Get incident details" will not enrich entities. Instead, we have other actions for this purpose.
Configure ThreatQ integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | Unchecked | No | Name of the Instance you intend to configure integration for. |
| Description | String | Unchecked | No | Description of the Instance. |
| ServerAddress | String | xx.xx.xx.xx | Yes | Address of the ThreatQ instance. |
| ClientId | String | N/A | Yes | ClientId for ThreatQ API |
| Username | String | N/A | Yes | Email of the user. |
| Password | Password | N/A | Yes | The password of the according user. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
EnrichCVE
Description
Enrich a CVE using ThreatQ information.
Parameters
| Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Score Threshold | Integer | 5 | No | Set the acceptable score threshold for the entity. If the score exceeds the specified threshold, the entity will be marked as suspicious. |
| Show Sources | Checkbox | Checked | No | If enabled, action will return an additional table with related sources. |
| Show Comments | Checkbox | Checked | No | If enabled, action will return an additional table with related comments. |
| Show Attributes | Checkbox | Checked | No | If enabled, action will return an additional table with related attributes. |
| Mark Whitelisted Entities As Suspicious | Checkbox | Checked | Yes | If enabled, action will mark entities as suspicious if they passed the allowed threshold, even if the entity is whitelisted in ThreatQ. |
Run On
This action runs on the CVE entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "No longer poses a serious threat.",
"name": "Expired",
"id": 2
},
"hash": "f74ee458b6e12452a04c6595bb3cd2d9",
"adversaries": [],
"status_id": 2,
"created_at": "2020-04-15 13:37:43",
"type_id": 5,
"updated_at": "2020-04-15 13:37:43",
"value": "star@star.star",
"id": 36,
"touched_at": "2020-04-15 13:37:43",
"sources": [{
"name": "Domain Tools",
"source_type": "plugins",
"creator_source_id": 8,
"created_at": "2020-04-15 13:37:43",
"indicator_type_id": 5,
"updated_at": "2020-04-15 13:37:43",
"indicator_status_id": 2,
"indicator_id": 36,
"published_at": "2020-04-15 13:37:43",
"reference_id": 1,
"source_id": 5,
"id": 44
}],
"published_at": "2020-04-15 13:37:43",
"score": 0,
"type": {
"class": "network",
"name": "Email Address",
"id": 5
},
"class": "network",
"expired_at": "2020-04-15 13:37:43"
}]},
"Entity": "email@example.com"
}
]
EnrichEmail
Description
Enrich an email address using ThreatQ information.
Parameters
| Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Score Threshold | Integer | 5 | No | Set the acceptable score threshold for the entity. If the score exceeds the specified threshold, the entity will be marked as suspicious. |
| Show Sources | Checkbox | Checked | No | If enabled, action will return an additional table with related sources. |
| Show Comments | Checkbox | Checked | No | If enabled, action will return an additional table with related comments. |
| Show Attributes | Checkbox | Checked | No | If enabled, action will return an additional table with related attributes. |
| Mark Whitelisted Entities As Suspicious | Checkbox | Checked | Yes | If enabled, action will mark entities as suspicious if they passed the allowed threshold, even if the entity is whitelisted in ThreatQ. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "No longer poses a serious threat.",
"name": "Expired",
"id": 2
},
"hash": "f74ee458b6e12452a04c6595bb3cd2d9",
"adversaries": [],
"status_id": 2,
"created_at": "2020-04-15 13:37:43",
"type_id": 5,
"updated_at": "2020-04-15 13:37:43",
"value": "star@star.star",
"id": 36,
"touched_at": "2020-04-15 13:37:43",
"sources": [{
"name": "Domain Tools",
"source_type": "plugins",
"creator_source_id": 8,
"created_at": "2020-04-15 13:37:43",
"indicator_type_id": 5,
"updated_at": "2020-04-15 13:37:43",
"indicator_status_id": 2,
"indicator_id": 36,
"published_at": "2020-04-15 13:37:43",
"reference_id": 1,
"source_id": 5,
"id": 44
}],
"published_at": "2020-04-15 13:37:43",
"score": 0,
"type": {
"class": "network",
"name": "Email Address",
"id": 5
},
"class": "network",
"expired_at": "2020-04-15 13:37:43"
}]},
"Entity": "email@example.com"
}
]
EnrichHash
Description
Enrich a Hash using ThreatQ information.
Parameters
| Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Score Threshold | Integer | 5 | No | Set the acceptable score threshold for the entity. If the score exceeds the specified threshold, the entity will be marked as suspicious. |
| Show Sources | Checkbox | Checked | No | If enabled, action will return an additional table with related sources. |
| Show Comments | Checkbox | Checked | No | If enabled, action will return an additional table with related comments. |
| Show Attributes | Checkbox | Checked | No | If enabled, action will return an additional table with related attributes. |
| Mark Whitelisted Entities As Suspicious | Checkbox | Checked | Yes | If enabled, action will mark entities as suspicious if they passed the allowed threshold, even if the entity is whitelisted in ThreatQ. |
Run On
This action runs on the Filehash entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "Poses a threat and is being exported to detection tools.",
"name": "Active",
"id": 1
},
"hash": "8b168f614b40150266d304dbd5c78036",
"adversaries": [],
"status_id": 1,
"created_at": "2020-03-11 11:26:32",
"tags": ["malware", "trojan"],
"updated_at": "2020-04-07 13:08:42",
"value": "d41d8cd98f00b204e9800998ecf8427e",
"id": 2,
"touched_at": "2020-04-07 13:08:42",
"sources": [{
"name": "Domain Tools",
"source_type": "plugins",
"creator_source_id": 8,
"created_at": "2020-03-15 15:04:31",
"indicator_type_id": 18,
"updated_at": "2020-03-15 15:04:31",
"indicator_status_id": 1,
"indicator_id": 2,
"published_at": "2020-03-15 15:04:31",
"reference_id": 1,
"source_id": 5,
"id": 7
}, {
"name": "tip.labops@siemplify.co",
"source_type": "users",
"creator_source_id": 8,
"created_at": "2020-03-11 11:26:32",
"indicator_type_id": 18,
"updated_at": "2020-03-11 12:25:17",
"indicator_status_id": 1,
"indicator_id": 2,
"published_at": "2020-03-11 11:26:32",
"reference_id": 1,
"source_id": 8,
"id": 2
}],
"published_at": "2020-03-11 11:26:32",
"score": 10,
"comments": [{
"source_name": "tip.labops@siemplify.co",
"creator_source_id": 8,
"created_at": "2020-03-11 12:32:22",
"updated_at": "2020-03-11 12:32:22",
"value": "Comment",
"indicator_id": 2,
"id": 1
}],
"type_id": 18,
"attributes": [{
"name": "Category",
"created_at": "2020-03-11 11:28:58",
"updated_at": "2020-03-11 11:28:58",
"value": "Malware",
"touched_at": "2020-03-11 11:28:58",
"indicator_id": 2,
"attribute_id": 1,
"id": 1
}, {
"name": "VirusTotal: Permalink",
"created_at": "2020-03-11 12:34:47",
"updated_at": "2020-03-11 12:34:47",
"value": "https:\/\/www.virustotal.com\/file\/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\/analysis\/1583929494\/",
"touched_at": "2020-03-11 12:34:47",
"indicator_id": 2,
"attribute_id": 3,
"id": 2
}],
"type": {
"class": "host",
"name": "MD5",
"id": 18
},
"class": "host"
}]},
"Entity": "d41d8cd98f00b204e9800998ecf8427e"
}, {
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "No longer poses a serious threat.",
"name": "Expired",
"id": 2
},
"hash": "4ca64ed42f6f4e49f1775e5c63d371cd",
"description": "<p>Test \u05D3 \u05DE\u05D5\u05E0\u05D7\u05D9\u05DD \u05DE\u05D5\u05E2\u05DE\u05D3\u05D9\u05DD \u05E9\u05DC, \u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4\u05D4 \u05D6\u05D0<\/p>",
"adversaries": [],
"status_id": 2,
"created_at": "2020-04-08 12:47:35",
"type_id": 23,
"updated_at": "2020-04-09 08:00:35",
"value": "8e545e1c31f91f777c894b3bd2c2e7d7044cc9dd",
"id": 25,
"touched_at": "2020-04-09 08:01:42",
"sources": [{
"name": "Investigation1",
"source_type": "other_sources",
"creator_source_id": 8,
"created_at": "2020-04-08 12:47:35",
"indicator_type_id": 23,
"updated_at": "2020-04-08 12:47:35",
"indicator_status_id": 2,
"indicator_id": 25,
"published_at": "2020-04-08 12:47:35",
"reference_id": 1,
"source_id": 9,
"id": 27
}, {
"name": "\u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4",
"source_type": "other_sources",
"creator_source_id": 8, "created_at": "2020-04-09 08:01:42",
"indicator_type_id": 23,
"updated_at": "2020-04-09 08:01:42",
"indicator_status_id": 2,
"indicator_id": 25,
"published_at": "2020-04-09 08:01:42",
"reference_id": 2,
"source_id": 10,
"id": 32
}],
"published_at": "2020-04-08 12:47:35",
"score": 0,
"type": {
"class": "host",
"name": "SHA-1",
"id": 23
},
"class": "host",
"expired_at": "2020-04-08 12:47:35"
}]},
"Entity": "8e545e1c31f91f777c894b3bd2c2e7d7044cc9dd"
}
]
Enrich IP
Description
Enrich an IP using ThreatQ information.
Parameters
| Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Score Threshold | Integer | 5 | No | Set the acceptable score threshold for the entity. If the score exceeds the specified threshold, the entity will be marked as suspicious. |
| Show Sources | Checkbox | Checked | No | If enabled, action will return an additional table with related sources. |
| Show Comments | Checkbox | Checked | No | If enabled, action will return an additional table with related comments. |
| Show Attributes | Checkbox | Checked | No | If enabled, action will return an additional table with related attributes. |
| Mark Whitelisted Entities As Suspicious | Checkbox | Checked | Yes | If enabled, action will mark entities as suspicious if they passed the allowed threshold, even if the entity is whitelisted in ThreatQ. |
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "No longer poses a serious threat.",
"name": "Expired",
"id": 2
},
"hash": "cb8036b0a7a0ebeeff97a5fe620c4b2c",
"description": "<p>\u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4<\/p>",
"adversaries": [],
"status_id": 2,
"created_at": "2020-04-08 13:09:02",
"type_id": 15,
"updated_at": "2020-04-09 08:46:43",
"value": "8.8.8.8",
"id": 27,
"touched_at": "2020-04-09 08:46:50",
"sources": [{
"name": "\u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4",
"source_type": "other_sources",
"creator_source_id": 8,
"created_at": "2020-04-08 13:09:02",
"indicator_type_id": 15,
"updated_at": "2020-04-08 13:10:11",
"indicator_status_id": 2,
"indicator_id": 27,
"published_at": "2020-04-08 13:09:02",
"reference_id": 2,
"source_id": 10,
"id": 30
}],
"published_at": "2020-04-08 13:09:02",
"score": 0,
"comments": [{
"source_name": "example@mail.com",
"creator_source_id": 8,
"created_at": "2020-04-09 08:46:50",
"updated_at": "2020-04-09 08:46:50",
"value": "\u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4awdwqwq",
"indicator_id": 27,
"id": 5
}],
"attributes": [{
"name": "\u05D3\u05EA \u05D3\u05E4\u05D9\u05DD \u05DE\u05D0\u05DE\u05E8\u05E9\u05D9\u05D7\u05D4\u05E6\u05E4",
"created_at": "2020-04-09 08:46:26",
"updated_at": "2020-04-09 08:46:26",
"value": "hvvhv",
"touched_at": "2020-04-09 08:46:26",
"indicator_id": 27,
"attribute_id": 4,
"id": 6
}],
"type": {
"class": "network",
"name": "IP Address",
"id": 15
},
"class": "network",
"expired_at": "2020-04-08 13:10:11"
}]},
"Entity": "8.8.8.8"
}
]
Enrich URL
Description
Enrich an URL using ThreatQ information.
Parameters
| Name | Type | Default | Is Mandatory | Description |
|---|---|---|---|---|
| Score Threshold | Integer | 5 | No | Set the acceptable score threshold for the entity. If the score exceeds the specified threshold, the entity will be marked as suspicious. |
| Show Sources | Checkbox | Checked | No | If enabled, action will return an additional table with related sources. |
| Show Comments | Checkbox | Checked | No | If enabled, action will return an additional table with related comments. |
| Show Attributes | Checkbox | Checked | No | If enabled, action will return an additional table with related attributes. |
| Mark Whitelisted Entities As Suspicious | Checkbox | Checked | Yes | If enabled, action will mark entities as suspicious if they passed the allowed threshold, even if the entity is whitelisted in ThreatQ. |
Run On
This action runs on the URL entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
[
{
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "Poses a threat and is being exported to detection tools.",
"name": "Active",
"id": 1
},
"hash": "e216253c1198b44c99c6841899c68418",
"adversaries": [],
"status_id": 1,
"created_at": "2020-04-08 08:59:59",
"type_id": 30,
"updated_at": "2020-04-08 08:59:59",
"value": "example2.sk",
"id": 19,
"touched_at": "2020-04-08 08:59:59",
"sources": [{
"name": "tip.labops@siemplify.co",
"source_type": "users",
"creator_source_id": 8,
"created_at": "2020-04-08 08:59:59",
"indicator_type_id": 30,
"updated_at": "2020-04-08 08:59:59",
"indicator_status_id": 1,
"indicator_id": 19,
"published_at": "2020-04-08 08:59:59",
"reference_id": 1,
"source_id": 8,
"id": 21
}],
"published_at": "2020-04-08 08:59:59",
"score": 0,
"expires_calculated_at": "2020-04-08 09:00:01",
"type": {
"class": "network",
"name": "URL",
"id": 30
},
"class": "network"
}]},
"Entity": "example2.sk"
}, {
"EntityResult": {
"total": 1,
"data": [{
"status": {
"description": "Poses a threat and is being exported to detection tools.",
"name": "Active",
"id": 1
},
"hash": "69d4269b838ce143e6f0656384c58ff8",
"description": "<p>URL<\/p>",
"adversaries": [],
"status_id": 1,
"created_at": "2020-03-15 15:49:04",
"tags": ["URL"],
"updated_at": "2020-03-15 15:51:13",
"value": "www.example.com",
"id": 7,
"touched_at": "2020-03-15 15:51:13",
"sources": [{
"name": "Emerging Threats",
"source_type": "plugins",
"creator_source_id": 8,
"created_at": "2020-03-15 15:49:04",
"indicator_type_id": 30,
"updated_at": "2020-03-15 15:49:04",
"indicator_status_id": 1,
"indicator_id": 7,
"published_at": "2020-03-15 15:49:04",
"reference_id": 2,
"source_id": 6,
"id": 9
}],
"published_at": "2020-03-15 15:49:04",
"score": 0,
"expires_calculated_at": "2020-03-15 15:50:02",
"type_id": 30,
"attributes": [{
"name": "Category",
"created_at": "2020-03-15 15:51:03",
"updated_at": "2020-03-15 15:51:03",
"value": "Malware",
"touched_at": "2020-03-15 15:51:03",
"indicator_id": 7,
"attribute_id": 1,
"id": 5
}],
"type": {
"class": "network",
"name": "URL",
"id": 30
},
"class": "network"
}]},
"Entity": "www.example.com"
}
]
Get Indicator Details
Description
Get the details for an IP address in a CSV format.
Parameters
N/A
Run On
This action runs on the IP Address entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| null | N/A | N/A |
Ping
Description
Verifies that the user has a connection to ThreatQ via the user's device.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_connect | True/False | is_connect:False |
Create Indicator
Description
Create an indicator in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name File Hash SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
Yes | Specify the type of the new indicator. |
| Status | DDL | Active Possible values: Active Expired Indirect Review Whitelisted |
Yes | Specify the status of the new indicator. |
| Description | String | N/A | No | Specify description of the new indicator. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 1,
"data": [
{
"id": 24,
"type_id": 7,
"status_id": 1,
"class": "network",
"hash": "ee8c2ae6818a9bb8c3b644ab1d3b2777",
"value": "115.47.67.161",
"description": "Kek",
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "Y",
"expires_calculated_at": null,
"created_at": "2020-07-20 07:26:52",
"updated_at": "2020-07-20 07:35:06",
"touched_at": "2020-07-20 07:35:06",
"existing": "Y",
"type": {
"id": 7,
"name": "Email Subject",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2020-06-29 17:13:29",
"updated_at": "2020-06-29 17:13:29"
}
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities successfully created an indicator (is_success = true): print "Successfully created indicators in ThreatQ based on the following entities: \n {0}".format(entity.identifier list) If fail to create indicators based on the specific entities(is_success = true): print "Action was not able to create indicators in ThreatQ based on the following entities: \n{0}".format([entity.identifier]) If fail to enrich for all entities (is_success = false): print: "No indicators were created." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Create Indicator". Reason: {0}''.format(error.Stacktrace) |
General |
Create Adversary
Description
Create an adversary in ThreatQ.
Parameters
N/A
Run On
This action runs on the User entity.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"name": "Adversary Nameaa",
"updated_at": "2020-07-20 08:21:34",
"created_at": "2020-07-20 08:21:34",
"id": 11
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities successfully created an adversary (is_success = true): If fail to create adversaries based on the specific entities(is_success = true): If fail to enrich for all entities (is_success = false): Print: "No adversaries were enriched." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Create Adversary". Reason: {0}''.format(error.Stacktrace) |
General |
Create Event
Description
Create an event in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Title | String | N/A | Yes | Specify the title of the event. |
| Event Type | DDL | Spearphish Possible Values: Spearphish Watering Hole SQL Injection Attack DoS Attack Malware Watchlist Command and Control Anonymization Exfiltration Host Characteristics Compromised PKI Certificate Login Compromise Incident Sighting |
Yes | Specify the type of the event. |
| Happened At | String | N/A | Yes | Specify when the event happened. If nothing is entered in this field, action will use current time. Format: YYYY-MM-DD hh:mm:ss |
Run On
This action doesn't run on entity types.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"title": "Event Name",
"type_id": 3,
"happened_at": "2017-03-20 01:43:05",
"hash": "e59c3274f3156b10aca1c8962a5880cb",
"updated_at": "2020-07-20 08:40:53",
"created_at": "2020-07-20 08:40:53",
"touched_at": "2020-07-20 08:40:53",
"id": 3,
"type": {
"id": 3,
"name": "SQL Injection Attack",
"user_editable": "N",
"created_at": "2020-06-29 17:13:28",
"updated_at": "2020-06-29 17:13:28"
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success = true): If fail to create event (is_success = false): Print: "Event '{0}' was not created in ThreatQ. Reason: {1}".format(title, errors/[0].value) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Create Event". Reason: {0}''.format(error.Stacktrace) If incorrect time format is used: print "Error executing action "Create Event". Reason: Incorrect time format was passed to 'Happened At' action parameter. Should be YYYY-MM-DD hh:mm:ss.'' |
General |
Add Attribute
Description
Action adds an attribute to the object.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature TTP Vulnerability |
Yes | Specify to which object type attribute should be added. |
| Object Identifier | String | N/A | Yes | Specify the identifier of the object. For example, it can be an MD5 hash, title of the event, name of the adversary, etc. |
| Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
Yes | Specify the type of the indicator. This parameter is only used if Object Type is "Indicator" |
| Attribute Name | String | N/A | Yes | Specify the name of the attribute. |
| Attribute Value | String | N/A | Yes | Specify the value of the attribute |
| Attribute Source | String | N/A | No | Specify the source of the attribute. |
Run On
This action doesn't run on entity types.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
{
"attribute_id": 4,
"value": "4012",
"incident_id": 1,
"id": 1,
"created_at": "2020-07-20 13:29:29",
"updated_at": "2020-07-20 13:29:29",
"touched_at": "2020-07-20 13:29:29",
"name": "321",
"attribute": {
"id": 4,
"name": "321",
"created_at": "2020-07-20 13:21:09",
"updated_at": "2020-07-20 13:21:09"
},
"sources": [
{
"id": 10,
"type": "other_sources",
"reference_id": 2,
"name": "123 User",
"tlp_id": null,
"created_at": "2020-07-20 13:29:29",
"updated_at": "2020-07-20 13:29:29",
"published_at": null,
"pivot": {
"incident_attribute_id": 1,
"source_id": 10,
"id": 1,
"creator_source_id": 8
}
}
]
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful (is_success = true): If the object was not found (is_success = false): Print: "'{0}' object with value '{1}' was not found in ThreatQ.".format(Object Type, Object identifier) If general error (is_success = false): Print "Action was not able to add attribute {0} to the ThreatQ object.".format(Attribute Name) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "Add Attribute". Reason: {0}''.format(error.Stacktrace) |
General |
Add Source
Description
Action adds a source to the object.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature TTP Vulnerability |
Yes | Specify to which object type source should be added. |
| Object Identifier | String | N/A | Yes | Specify the identifier of the object. For example, it can be an MD5 hash, title of the event, name of the adversary, etc. |
| Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
Yes | Specify the type of indicator. This parameter is only used if Object Type is "Indicator". |
| Source Name | String | N/A | Yes | Specify the name of the source. |
Run On
This action doesn't run on entity types.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 1,
"data": [
{
"id": 3,
"incident_id": 1,
"source_id": 11,
"creator_source_id": 8,
"tlp_id": null,
"created_at": "2020-07-20 14:12:52",
"updated_at": "2020-07-20 14:12:52",
"published_at": null,
"deleted_at": null,
"existing": 0,
"name": "321"
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful (is_success = true): If the object was not found (is_success = false): Print: "'{0}' object with value '{1}' was not found in ThreatQ.".format(Object Type, Object Value) If general error (is_success = false): Print "Action was not able to add source {0} to the ThreatQ object.".format(Source Name) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "Add Source". Reason: {0}''.format(error.Stacktrace) |
General |
Link Entities
Description
Action links all of the entities in ThreatQ.
Run On
This action runs on the following entities:
- CVE
- IP Address
- URL
- Filehash
- User
- All entities matching email regex
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": 1,
"type_id": 18,
"status_id": 2,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": "2020-07-21 09:05:56",
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-21 07:35:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-21 09:05:56",
"touched_at": "2020-07-21 09:05:56"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities successfully linked (is_success = true): If fail to list related objects for specific entities(is_success = true): print "Action was not able to link the following entities in ThreatQ: \n{0}".format([entity.identifier]) If fail to enrich for all entities (is_success = false): Print: "No entities were linked." If only one entity is provided: The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Link Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Link Entities To Object
Description
Action links all of the entities in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of the object to which you want to link entities. |
| Object Identifier | String | N/A | Yes | Specify identifier of the object to which you want to link entities. For example, it can be an MD5 hash, title of the event, name of the adversary etc. |
| Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
No | Specify the type of the indicator to which you want to link entities. This parameter is only used, if Source Object Type is "Indicator". |
Run On
This action runs on the following entities:
- CVE
- IP Address
- URL
- Filehash
- User
- All entities matching email regex
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": 1,
"type_id": 18,
"status_id": 2,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": "2020-07-21 09:05:56",
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-21 07:35:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-21 09:05:56",
"touched_at": "2020-07-21 09:05:56"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If object was not found (is_success = false): Print: "No entities were linked to object '{0}' with value '{1}'. Reason: '{0}' object with value '{1}' was not found in ThreatQ.".format(Object Type, Object Value) If successful and at least one of the provided entities successfully linked (is_success = true): If fail to list related objects for specific entities(is_success = true): print "Action was not able to link the following entities to object '{0}' with value '{1}' in ThreatQ: \n{2}".format(Object Type, Object Identifier, [entity.identifier]) If fail to enrich for all entities (is_success = false): Print: "No entities were linked to object '{0}' with value '{1}'.".format(Object Type, Object Identifier) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Link Entities To Object". Reason: {0}''.format(error.Stacktrace) |
General |
Link Objects
Description
Action links two objects in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Source Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of the source object. |
| Source Object Identifier | String | N/A | Yes | Specify identifier of the source object. For example, it can be an MD5 hash, title of the event, name of the adversary etc. |
| Source Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
No | Specify the type of the source indicator. This parameter is only used, if Source Object Type is "Indicator". |
| Destination Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of the destination object. |
| Destination Object Identifier | String | N/A | Yes | Specify the identifier of the destination object. For example, it can be an MD5 hash, title of the event, name of the adversary, etc. |
| Destination Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
No | Specify the type of the destination indicator. This parameter is only used if Destination Object Type is "Indicator". |
Run On
This action doesn't run on entity types.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": 2,
"value": "123123",
"status_id": null,
"type_id": null,
"description": null,
"started_at": "2020-07-20 12:27:00",
"ended_at": "2020-07-20 12:27:00",
"created_at": "2020-07-20 12:27:10",
"updated_at": "2020-07-20 12:27:10",
"touched_at": "2020-07-20 14:50:14",
"object_id": 4,
"object_code": "incident",
"object_name": "Incident",
"object_name_plural": "Incidents",
"pivot": {
"id": 18,
"created_at": "2020-07-20 14:50:14",
"updated_at": "2020-07-20 14:50:14"
}
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful (is_success = true): If object was not found (is_success = false): Print: "'{0}' object with value '{1}' was not found in ThreatQ.".format(Object Type, Object Value) If general error (is_success = false): print "Action was not able to link objects in ThreatQ." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "Link Objects". Reason: {0}''.format(error.Stacktrace) |
General |
List Related Objects
Description
Action lists related objects in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Source Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of the source object. |
| Source Object Identifier | String | N/A | Yes | Specify the identifier of the source object. For example, it can be an MD5 hash, title of the event, name of the adversary, etc. |
| Source Indicator Type | DDL | ASN Possible Values: ASN Binary String CIDR Block CVE Email Address Email Attachment Email Subject File Mapping File Path File name FQDN Fuzzy Hash GOST Hash Hash ION IPv4 Address IPv6 Address MAC Address MD5 Mutex Password Registry Key Service Name SHA-1 SHA-256 SHA-384 SHA-512 String URL URL Path User-agent Username X-Mailer x509 Serial x509 Subject |
No | Specify the type of the source indicator. This parameter is only used, if Source Object Type is "Indicator". |
| Related Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of the related object that needs to be returned. |
| Max Related Objects To Return | Integer | 50 | No | Specify how many related objects to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 2,
"data": [
{
"id": 1,
"value": "Incident 1",
"status_id": null,
"type_id": null,
"description": null,
"started_at": "2020-07-09 06:15:00",
"ended_at": "2020-07-09 06:15:00",
"created_at": "2020-07-09 06:16:10",
"updated_at": "2020-07-09 06:16:10",
"touched_at": "2020-07-21 06:53:33",
"deleted_at": null,
"pivot": {
"id": 20,
"src_type": "indicator",
"src_object_id": 1,
"dest_type": "incident",
"dest_object_id": 1,
"created_at": "2020-07-21 06:53:33",
"updated_at": "2020-07-21 06:53:33"
}
},
{
"id": 2,
"value": "123123",
"status_id": null,
"type_id": null,
"description": null,
"started_at": "2020-07-20 12:27:00",
"ended_at": "2020-07-20 12:27:00",
"created_at": "2020-07-20 12:27:10",
"updated_at": "2020-07-20 12:27:10",
"touched_at": "2020-07-21 06:53:49",
"deleted_at": null,
"pivot": {
"id": 21,
"src_type": "indicator",
"src_object_id": 1,
"dest_type": "incident",
"dest_object_id": 2,
"created_at": "2020-07-21 06:53:49",
"updated_at": "2020-07-21 06:53:49"
}
}
],
"limit": 2,
"offset": 0
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful (is_success = true): If Source object was not found (is_success = false): print: "'{0}' object with value '{1}' was not found in ThreatQ.".format(Object Type, Object Value) If no there are no related objects for the Related Object Type : (is_success=false): Print "No related {0} object were found.".format(Related Object Type) If general error (is_success = false): Print "Action was not able to list related objects in ThreatQ." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "List Related Objects". Reason: {0}''.format(error.Stacktrace) |
General |
Case Wall Table (Object type=Event) |
Table name: Related 'Event' objects Table Columns:
|
General |
Case Wall Table (Object type=File) |
Table name: Related 'File' objects Table Columns:
|
General |
Case Wall Table (Object type=Adversary) |
Table name: Related 'Adversary' objects Table Columns:
|
General |
Case Wall Table (Every other object type) |
Table name: "Related '{0}' objects".format(Destination Object Type) Table Columns:
|
General |
List Entity Related Objects
Description
Action lists related objects for entities in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Related Object Type | DDL | Adversary Possible Values: Adversary Attack Pattern Campaign Course of Action Event Exploit Target File Identity Incident Indicator Intrusion Set Malware Report Signature Task Tool TTP Vulnerability |
Yes | Specify the type of related object that needs to be returned. |
| Max Related Objects To Return | Integer | 50 | No | Specify how many related objects to return. Maximum is 1000. This is a ThreatQ limitation. |
Run On
This action runs on all entity types.
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| TQ_related_{0}_id.format(Related object type) | id | If available in JSON Result. |
| TQ_related_{0}_value.format(Related object type) | value. If related object type = event and file: title If related object type = adversary: name |
If available in JSON Result. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 2,
"data": [
{
"id": 1,
"value": "Incident 1",
"status_id": null,
"type_id": null,
"description": null,
"started_at": "2020-07-09 06:15:00",
"ended_at": "2020-07-09 06:15:00",
"created_at": "2020-07-09 06:16:10",
"updated_at": "2020-07-09 06:16:10",
"touched_at": "2020-07-21 06:53:33",
"deleted_at": null,
"pivot": {
"id": 20,
"src_type": "indicator",
"src_object_id": 1,
"dest_type": "incident",
"dest_object_id": 1,
"created_at": "2020-07-21 06:53:33",
"updated_at": "2020-07-21 06:53:33"
}
},
{
"id": 2,
"value": "123123",
"status_id": null,
"type_id": null,
"description": null,
"started_at": "2020-07-20 12:27:00",
"ended_at": "2020-07-20 12:27:00",
"created_at": "2020-07-20 12:27:10",
"updated_at": "2020-07-20 12:27:10",
"touched_at": "2020-07-21 06:53:49",
"deleted_at": null,
"pivot": {
"id": 21,
"src_type": "indicator",
"src_object_id": 1,
"dest_type": "incident",
"dest_object_id": 2,
"created_at": "2020-07-21 06:53:49",
"updated_at": "2020-07-21 06:53:49"
}
}
],
"limit": 2,
"offset": 0
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities successfully created an indicator (is_success = true): If fail to list related objects for specific entities(is_success = true): If fail to enrich for all entities (is_success = false): Print: "No related objects were listed." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Related Objects". Reason: {0}''.format(error.Stacktrace) |
General |
Case Wall Table (Object type=Event) |
Table name: Related 'Event' objects for {entity identifier} Table Columns:
|
General |
Case Wall Table (Object type=File) |
Table name: Related 'File' objects for {entity identifier} Table Columns:
|
General |
Case Wall Table (Object type=Adversary) |
Table name: Related 'Adversary' objects for {entity identifier} Table Columns:
|
General |
Case Wall Table (Every other object type) |
Table name: "Related '{0}' objects for {entity identifier}".format(Destination Object Type) Table Columns:
|
General |
Create Object
Description
Create an object in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Object Type | DDL | Attack Pattern Possible Values: Attack Pattern Campaign Course of Action Exploit Target Identity Incident Intrusion Set Malware Report Tool TTP Vulnerability |
Yes | Specify the type of the object. |
| Value | String | N/A | Yes | Specify the value of the new object. |
| Description | String | N/A | No | Specify description to the new object. |
Run On
This action doesn't run on entities.
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| TQ_related_{0}_id.format(Related object type) | id | If available in JSON Result. |
| TQ_related_{0}_value.format(Related object type) | value. If related object type = event and file: title If related object type = adversary: name |
If available in JSON Result. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"value": "Adversary Nameaaa",
"description": "Koko",
"updated_at": "2020-07-21 08:46:55",
"created_at": "2020-07-21 08:46:55",
"id": 2,
"object_id": 1,
"object_code": "campaign",
"object_name": "Campaign",
"object_name_plural": "Campaigns"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful (is_success = true): If fail to create new action (is_success = false): Print: "Action was not able to create new {0} object in ThreatQ.".format(object_type) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "Create Object". Reason: {0}''.format(error.Stacktrace) |
General |
Get Malware Details
Description
Action returns information about malware based on entities from ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Additional Information | String | N/A | No | Specify what additional fields should be included in the response. Possible values: adversaries, attackPattern, campaign, courseOfAction, attachments, attributes, comments, events, indicators, signatures, sources, status, tags, type, watchlist, exploitTarget, identity, incident, intrusionSet, malware, report, tool, ttp, vulnerability, tasks |
Run On
This action runs on all entities.
Action Results
Entity Enrichment
| Enrichment Field Name | Source (JSON Key) | Logic - When to apply |
|---|---|---|
| TQ_malware_id | id | If available in JSON Result. |
| TQ_malware_status_id | status_id | If available in JSON Result. |
| TQ_malware_type_id | type_id | If available in JSON Result. |
| TQ_malware_description | description | If available in JSON Result. |
| TQ_malware_created_at | created_at | If available in JSON Result. |
| TQ_malware_updated_at | updated_at | If available in JSON Result. |
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 1,
"data": [
{
"id": 1,
"value": "Investigation1",
"status_id": null,
"type_id": null,
"description": "<p>Investigation1</p>\n",
"created_at": "2020-07-08 15:59:20",
"updated_at": "2020-07-08 15:59:20",
"touched_at": "2020-07-20 14:46:42",
"object_id": 9,
"object_code": "malware",
"object_name": "Malware",
"object_name_plural": "Malware",
"adversaries": [],
"attack_pattern": [],
"campaign": [],
"course_of_action": [],
"attachments": [],
"attributes": [],
"comments": [],
"events": [],
"indicators": [],
"signatures": [],
"sources": [
{
"id": 5,
"type": "plugins",
"reference_id": 1,
"name": "Domain Tools",
"tlp_id": null,
"created_at": "2020-07-08 15:59:20",
"updated_at": "2020-07-08 15:59:20",
"published_at": null,
"pivot": {
"malware_id": 1,
"source_id": 5,
"id": 1,
"creator_source_id": 8
}
}
],
"status": null,
"tags": [],
"type": null,
"watchlist": [],
"exploit_target": [],
"identity": [],
"incident": [],
"intrusion_set": [],
"malware": [],
"report": [],
"tool": [],
"ttp": [],
"vulnerability": [],
"tasks": [
{
"id": 5,
"name": "Task2",
"description": "<p>Task2</p>\n",
"status_id": 1,
"priority": "Low",
"assignee_source_id": 8,
"creator_source_id": 8,
"due_at": null,
"completed_at": null,
"assigned_at": "2020-07-09 06:25:54",
"created_at": "2020-07-09 06:25:54",
"updated_at": "2020-07-09 06:25:54",
"pivot": {
"id": 9,
"created_at": "2020-07-09 06:25:55",
"updated_at": "2020-07-09 06:25:55"
}
}
]
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities successfully was enriched (is_success = true): If fail to list related objects for specific entities(is_success = true): If fail to enrich for all entities (is_success = false): Print: "No entities were enriched." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to the server, other: print "Error executing action "Get Malware Details". Reason: {0}''.format(error.Stacktrace) |
General |
| Link | Name: Details for {entity} Link:https://{server_ip}malware/{id}/details |
List Events
Description
List events from ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Additional Fields | CSV | adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist. | No | Specify what additional fields should be included in the response. Possible values: adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist. |
| Sort Field | DDL | ID Possible values: ID Title Created At Updated At Happened At |
No | Specify what field should be used for sorting events. |
| Sort Direction | DDL | Ascending Possible Values: Ascending Descending |
No | Specify the sorting direction. |
| Max Events to Return | Integer | 50 | No | Specify how many events to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 1,
"data": [
{
"id": 1,
"type_id": 4,
"title": "Test",
"description": null,
"happened_at": "2020-07-19 09:19:00",
"hash": "78f58dacd9c215003911a09d5b3e810d",
"created_at": "2020-07-19 09:19:39",
"updated_at": "2020-07-19 09:19:39",
"touched_at": "2020-07-19 09:20:22",
"adversaries": [],
"attachments": [],
"attributes": [],
"comments": [],
"events": [],
"indicators": [
{
"id": 1,
"type_id": 18,
"status_id": 1,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-19 11:10:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-19 09:17:20",
"touched_at": "2020-07-19 11:08:48",
"pivot": {
"id": 11,
"created_at": "2020-07-19 09:19:39",
"updated_at": "2020-07-19 09:19:39"
}
},
{
"id": 2,
"type_id": 18,
"status_id": 1,
"class": "host",
"hash": "65b9aa337a73fa71b88bd613c1f4d06d",
"value": "7815696ecbf1c96e6894b779456d3301",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-19 09:25:02",
"created_at": "2020-07-19 09:17:43",
"updated_at": "2020-07-19 09:17:43",
"touched_at": "2020-07-19 09:20:22",
"pivot": {
"id": 12,
"created_at": "2020-07-19 09:20:22",
"updated_at": "2020-07-19 09:20:22"
}
}
],
"signatures": [],
"sources": [
{
"id": 6,
"type": "plugins",
"reference_id": 2,
"name": "Emerging Threats",
"tlp_id": null,
"created_at": "2020-07-19 09:19:39",
"updated_at": "2020-07-19 09:19:39",
"published_at": null,
"pivot": {
"event_id": 1,
"source_id": 6,
"id": 1,
"creator_source_id": 8
}
}
],
"spearphish": null,
"tags": [],
"type": {
"id": 4,
"name": "DoS Attack",
"user_editable": "N",
"created_at": "2020-06-29 17:13:28",
"updated_at": "2020-06-29 17:13:28"
},
"watchlist": []
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and data is available (is_success=true): print "Successfully listed ThreatQ events." If fail no events (is_success=false): print "No events were found in ThreatQ." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Events". Reason: {0}''.format(error.Stacktrace) If invalid field is specified in the "Additional Fields" parameter: print "Error executing action "List Events". Reason: Invalid field was specified in the 'Additional Fields' parameter. '''.format(error.Stacktrace)" |
General |
| CSV Wall Table | Table name: ThreatQ Events Table column:
|
General |
List Indicators
Description
List indicators from ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Additional Fields | CSV | adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist. | No | Specify what additional fields should be included in the response. Possible values: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist. |
| Sort Field | DDL | ID Possible values: ID Title Created At Updated At Happened At |
No | Specify what field should be used for sorting indicators. |
| Sort Direction | DDL | Ascending Possible Values: Ascending Descending |
No | Specify the sorting direction. |
| Max Events to Return | Integer | 50 | No | Specify how many indicators to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 8,
"data": [
{
"id": 1,
"name": "Abra Cadabra",
"created_at": "2020-07-19 09:33:29",
"updated_at": "2020-07-19 09:33:29",
"touched_at": "2020-07-19 09:33:29",
"adversaries": [],
"attachments": [],
"attributes": [],
"comments": [],
"description": null,
"events": [],
"indicators": [
{
"id": 1,
"type_id": 18,
"status_id": 1,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-19 11:10:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-19 09:17:20",
"touched_at": "2020-07-19 11:08:48",
"pivot": {
"id": 13,
"created_at": "2020-07-19 09:33:29",
"updated_at": "2020-07-19 09:33:29"
}
}
],
"plugins": [],
"plugin_actions": [],
"signatures": [],
"sources": [
{
"id": 8,
"type": "users",
"reference_id": 1,
"name": "tip.labops@siemplify.co",
"tlp_id": null,
"created_at": "2020-07-19 09:33:29",
"updated_at": "2020-07-19 09:33:29",
"published_at": null,
"pivot": {
"adversary_id": 1,
"source_id": 8,
"id": 1,
"creator_source_id": 8
}
}
],
"tags": [],
"value_weight": null,
"watchlist": []
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and data is available (is_success=true): print "Successfully listed ThreatQ adversaries." If no data available (is_success=false): print "No adversaries were found in ThreatQ." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Adversaries". Reason: {0}''.format(error.Stacktrace) If invalid field is specified in the "Additional Fields" parameter: print "Error executing action "List Adversaries". Reason: Invalid field was specified in the 'Additional Fields' parameter. '''.format(error.Stacktrace)" |
General |
| CSV Wall Table | Table name: ThreatQ Indicators Table column:
|
General |
List Adversaries
Description
List adversaries from ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Additional Fields | CSV | adversaries, attachments, attributes, comments, events, indicators, signatures, sources, spearphish, tags, type, watchlist. | No | Specify what additional fields should be included in the response. Possible values: adversaries, attachments, attributes, comments, events, indicators, score, signatures, sources, status, tags, type, watchlist. |
| Sort Field | DDL | ID Possible values: ID Title Created At Updated At Happened At |
No | Specify what field should be used for sorting adversaries. |
| Sort Direction | DDL | Ascending Possible Values: Ascending Descending |
No | Specify the sorting direction. |
| Max Events to Return | Integer | 50 | No | Specify how many indicators to return. |
Run On
This action doesn't run on entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"total": 3,
"data": [
{
"id": 3,
"type_id": 27,
"status_id": 1,
"class": "network",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-19 11:10:02",
"created_at": "2020-07-19 11:08:48",
"updated_at": "2020-07-19 11:08:48",
"touched_at": "2020-07-19 11:08:48",
"adversaries": [],
"attachments": [],
"attributes": [],
"comments": [],
"events": [],
"indicators": [
{
"id": 1,
"type_id": 18,
"status_id": 1,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": null,
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-19 11:10:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-19 09:17:20",
"touched_at": "2020-07-19 11:08:48",
"pivot": {
"id": 15,
"created_at": "2020-07-19 11:08:48",
"updated_at": "2020-07-19 11:08:48"
}
}
],
"score": {
"indicator_id": 3,
"generated_score": "0.00",
"manual_score": null,
"score_config_hash": "7f8b888a2d2b462310d5227aa75e8c4a78973a96",
"created_at": "2020-07-19 11:08:48",
"updated_at": "2020-07-19 11:08:48"
},
"signatures": [],
"sources": [
{
"id": 8,
"type": "users",
"reference_id": 1,
"name": "tip.labops@siemplify.co",
"tlp_id": null,
"created_at": "2020-07-19 11:08:48",
"updated_at": "2020-07-19 11:08:48",
"published_at": null,
"pivot": {
"indicator_id": 3,
"source_id": 8,
"id": 3,
"creator_source_id": 8
}
}
],
"status": {
"id": 1,
"name": "Active",
"description": "Poses a threat and is being exported to detection tools.",
"user_editable": "N",
"visible": "Y",
"include_in_export": "Y",
"protected": "Y",
"created_at": "2020-06-29 17:14:34",
"updated_at": "2020-06-29 17:14:34"
},
"tags": [],
"type": {
"id": 27,
"name": "String",
"class": "network",
"score": null,
"wildcard_matching": "Y",
"created_at": "2020-06-29 17:13:29",
"updated_at": "2020-06-29 17:13:29"
},
"watchlist": []
}
]
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: if successful and data is available (is_success=true): print "Successfully listed ThreatQ indicators." If no data available (is_success=false): print "No indicators were found in ThreatQ." The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "List Indicators". Reason: {0}''.format(error.Stacktrace) If invalid field is specified in the "Additional Fields" parameter: print "Error executing action "List Indicators". Reason: Invalid field was specified in the 'Additional Fields' parameter. '''.format(error.Stacktrace)" |
General |
| CSV Wall Table | Table name: ThreatQ Indicators Table column:
|
General |
Update Indicator Status
Description
Action updates indicator status in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Status | DDL | Active Possible values: Active Expired Indirect Review Whitelisted |
True | Specify the new status of the indicator. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"id": 1,
"type_id": 18,
"status_id": 2,
"class": "host",
"hash": "6677d693422fbeb541397fb8554f4664",
"value": "7815696ecbf1c96e6894b779456d330e",
"description": null,
"last_detected_at": null,
"expires_at": null,
"expired_at": "2020-07-21 09:05:56",
"expires_needs_calc": "N",
"expires_calculated_at": "2020-07-21 07:35:02",
"created_at": "2020-07-19 09:17:20",
"updated_at": "2020-07-21 09:05:56",
"touched_at": "2020-07-21 09:05:56"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success = true): If indicator was not found (is_success = false): If fail general error(is_success = false): Print: "Action was not able to update status for the indicator with value '{0}' in ThreatQ.".format(indicator value) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Update Indicator Status". Reason: {0}''.format(error.Stacktrace) |
General |
Update Indicator Score
Description
Action updates indicator score in ThreatQ.
Parameters
| Parameter Display Name | Type | Default Value | Is Mandatory | Description |
|---|---|---|---|---|
| Score | DDL | "7 - Medium" Possible Values: "0 - Very Low" "1 - Very Low" "2 - Very Low" "3 - Very Low" "4 - Very Low" "5 - Low" "6 - Low" "7 - Medium" "8 - Medium" "9 - High" "10 - Very High" |
Yes | Specify the new score of the indicator. |
| Score Validation | DDL | Highest Score Possible Values: Highest Score Force Update |
Yes | Specify what kind of score validation should be used. If " Highest Score" is specified, action will compare current values and update the indicator's score only, if the specified score is higher than current generated and manual score. If "Force Update" is specified, action will update the indicator's score without comparing current values. |
Run On
This action runs on all entities.
Action Results
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON Result
{
"data": {
"indicator_id": 2,
"generated_score": "5.00",
"manual_score": 1,
"score_config_hash": "7f8b888a2d2b462310d5227aa75e8c4a78973a96",
"created_at": "2020-07-19 09:17:43",
"updated_at": "2020-07-21 09:25:27"
}
}
Case Wall
| Result Type | Value / Description | Type |
|---|---|---|
| Output message* | The action should not fail nor stop a playbook execution: If successful (is_success = true): If Score Validation == "Highest Score" and specified score in the action parameter is smaller than current ones: (is_success = false): print "Action didn't update score for the indicator with value '{0}' in ThreatQ. Reason: Current score is higher.".format(indicator value) If indicator was not found (is_success = false): print "Action was not able to update score for the indicator with value '{0}' in ThreatQ. Reason: Indicator with value '{0}' and type '{1}' was not found in ThreatQ.".format(indicator value, indicator type) If fail general error(is_success = false): Print: "Action was not able to update score for the indicator with value '{0}' in ThreatQ.".format(indicator value) The action should fail and stop a playbook execution: if fatal error, like wrong credentials, no connection to server, other: print "Error executing action "Update Indicator Score". Reason: {0}''.format(error.Stacktrace) |
General |