Integrate Anomali ThreatStream with Google SecOps
This document describes how to integrate Anomali ThreatStream with Google Security Operations (Google SecOps).
Integration version: 11.0
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Web Root
|
String | https://siemplify.threatstream.com | Yes | Web Root of the Anomali ThreatStream instance. This parameter is used for creating report links across integration items. |
|
API Root
|
String | https://api.threatstream.com | Yes | API Root of the Anomali ThreatStream instance. |
|
Email Address
|
String | N/A | Yes | Email address of the Anomali ThreatStream account. |
|
API Key
|
Password | N/A | Yes | API key of the Anomali ThreatStream account. |
|
Verify SSL
|
Checkbox | Checked | Yes | If enabled, verifies that the SSL certificate for the connection to the Anomali ThreatStream server is valid. |
For instructions about how to configure an integration in Google SecOps, see Configure integrations .
You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .
Actions
For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .
Add Tags To Entities
Add tags to entities in Anomali ThreatStream.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Tags
|
CSV | N/A | Yes | Specify a comma-separated list of tags that need to be added to entities in Anomali ThreatStream. |
Run On
This action runs on the following entities:
- Hash
- IP Address
- URL
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully added tags to the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list) If not found specific entities (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier]) If not found all entities (is_success=false): "None of the provided entities were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Add Tags To Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Enrich entities
Retrieve information about IPs, URLs, hashes, email addresses from Anomali ThreatStream.
Parameters
Low
Possible values:
- Very High
- High
- Medium
- Low
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
Entity enrichment
| Enrichment field name | Logic - When to apply |
|---|---|
| id | When available in JSON |
| status | When available in JSON |
| itype | When available in JSON |
| expiration_time | When available in JSON |
| ip | When available in JSON |
| feed_id | When available in JSON |
| confidence | When available in JSON |
| uuid | When available in JSON |
| retina_confidence | When available in JSON |
| trusted_circle_ids | When available in JSON |
| source | When available in JSON |
| latitude | When available in JSON |
| type | When available in JSON |
| description | When available in JSON |
| tags | When available in JSON |
| threat_score | When available in JSON |
| source_confidence | When available in JSON |
| modification_time | When available in JSON |
| org_name | When available in JSON |
| asn | When available in JSON |
| creation_time | When available in JSON |
| tlp | When available in JSON |
| country | When available in JSON |
| longitude | When available in JSON |
| severity | When available in JSON |
| subtype | When available in JSON |
| report | When available in JSON |
Case wall
The action should not fail nor stop a playbook execution:
If successful and at least one of the provided entities is enriched (is_success=true): "Successfully enriched the following entities using Anomali ThreatStream: \n {0}".format(entity.identifier list)
If failed to enrich specific entities (is_success=true): "Action was not able to enrich the following entities using Anomali ThreatStream\n: {0}".format([entity.identifier])
If failed to enrich all entities (is_success=false): "No entities were enriched."
The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Enrich Entities". Reason: {0}''.format(error.Stacktrace)
If the "Confidence Threshold" parameter is not in the 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100."
Table Name:Related Analysis Links: {entity_identifier}
Table Columns:
- Name
- Link
Get Related Associations
Retrieve entity related associations from Anomali ThreatStream.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Return Campaigns
|
Checkbox | Checked | No | If enabled, action will fetch related campaigns and details about them. |
|
Return Threat Bulletins
|
Checkbox | Checked | No | If enabled, action will fetch related threat bulletins and details about them. |
|
Return Actors
|
Checkbox | Checked | No | If enabled, action will fetch related actors and details about them. |
|
Return Attack Patterns
|
Checkbox | Checked | No | If enabled, action will fetch related attack patterns and details about them. |
|
Return Courses Of Action
|
Checkbox | Checked | No | If enabled, action will fetch related courses of action and details about them. |
|
Return Identities
|
Checkbox | Checked | No | If enabled, action will fetch related identities and details about them. |
|
Return Incidents
|
Checkbox | Checked | No | If enabled, action will fetch related incidents and details about them. |
|
Return Infrastructure
|
Checkbox | Checked | No | If enabled, action will fetch related infrastructure and details about them. |
|
Return Intrusion Sets
|
Checkbox | Checked | No | If enabled, action will fetch related intrusion sets and details about them. |
|
Return Malware
|
Checkbox | Checked | No | If enabled, action will fetch related malware and details about them. |
|
Return Signatures
|
Checkbox | Checked | No | If enabled, action will fetch related signatures and details about them. |
|
Return Tools
|
Checkbox | Checked | No | If enabled, action will fetch related tools and details about them. |
|
Return TTPs
|
Checkbox | Checked | No | If enabled, action will fetch related TTPs and details about them. |
|
Return Vulnerabilities
|
Checkbox | Checked | No | If enabled, action will fetch related vulnerabilities and details about them. |
|
Create Campaign Entity
|
Checkbox | Unchecked | No | If enabled, action will create an entity out of available Campaign associations. |
|
Create Actors Entity
|
Checkbox | Unchecked | No | If enabled, action will create an entity out of available Actor associations. |
|
Create Signature Entity
|
Checkbox | Unchecked | No | If enabled, action will create an entity out of available Signature associations. |
|
Create Vulnerability Entity
|
Checkbox | Unchecked | No | If enabled, action will create an entity out of available Vulnerability associations. |
|
Create Insight
|
Checkbox | Checked | No | If enabled, action will create an insight based on the results. |
|
Create Case Tag
|
Checkbox | Unchecked | No | If enabled, action will create case tags based on the results. |
|
Max Associations To Return
|
Integer | 5 | No | Specify how many associations to return per type. Default: 5 |
|
Max Statistics To Return
|
Integer | 3 | No | Specify how many top statistics results regarding IOCs to return. Note: The
action will at max process 1000 IOCs related to the association. If you provide 0
, action doesn't try to fetch statistics information. |
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
JSON result
{
"campaign"
:
[
{
"name"
:
"Example 1"
,
"id"
:
1
},
{
"name"
:
"Example 2"
,
"id"
:
2
}
],
"actor"
:
[
{
"name"
:
"Actor 1"
,
"id"
:
1
},
{
"name"
:
"Actor 2"
,
"id"
:
2
}
],
"attackpattern"
:
[
{
"name"
:
"Pattern 1"
,
"id"
:
1
},
{
"name"
:
"Pattern 2"
,
"id"
:
2
}
],
"courseofaction"
:
[
{
"name"
:
"Course of Action 1"
,
"id"
:
1
},
{
"name"
:
"Course Of Action 2"
,
"id"
:
2
}
],
"identity"
:
[
{
"name"
:
"Identity 1"
,
"id"
:
1
},
{
"name"
:
"Identity 2"
,
"id"
:
2
}
],
"incident"
:
[
{
"name"
:
"Incident 1"
,
"id"
:
1
},
{
"name"
:
"Incident 2"
,
"id"
:
2
}
],
"infrastructure"
:
[
{
"name"
:
"Infrustructure 1"
,
"id"
:
1
},
{
"name"
:
"Infrustructure 2"
,
"id"
:
2
}
],
"intrusionset"
:
[
{
"name"
:
"Intrusion set 1"
,
"id"
:
1
},
{
"name"
:
"Intrusion set 2"
,
"id"
:
2
}
],
"malware"
:
[
{
"name"
:
"Malware 1"
,
"id"
:
1
},
{
"name"
:
"Malware 2"
,
"id"
:
2
}
],
"signature"
:
[
{
"name"
:
"Signature 1"
,
"id"
:
1
},
{
"name"
:
"Signature 2"
,
"id"
:
2
}
],
"tool"
:
[
{
"name"
:
"Tool 1"
,
"id"
:
1
},
{
"name"
:
"Tool 2"
,
"id"
:
2
}
],
"ttp"
:
[
{
"name"
:
"TTP 1"
,
"id"
:
1
},
{
"name"
:
"TTP 2"
,
"id"
:
2
}
],
"vulnerability"
:
[
{
"name"
:
"Vulnerability 1"
,
"id"
:
1
},
{
"name"
:
"Vulnerability 2"
,
"id"
:
2
}
],
}
Case wall
The action should not fail nor stop a playbook execution:
If successful and at least one association across entities is found (is_success=true): "Successfully retrieved related associations from Anomali ThreatStream"
If no associations are found (is_success=false) : "No related associations were found."
Async Message: "Waiting for all of the association details to be retrieved"
The action should fail and stop a playbook execution:
If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Association". Reason: {0}''.format(error.Stacktrace)
Table Name:"Related Associations"
Table Columns:
- ID
- Name
- Type
- Status
Get Related Entities
Retrieve related entities based on the associations in Anomali ThreatStream.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Confidence Threshold
|
Integer | N/A | Yes | Specify what should be the confidence threshold. Maximum is 100. |
|
Search Threat Bulletins
|
Checkbox | Checked | No | If enabled, action will search among threat bulletins. |
|
Search Actors
|
Checkbox | Checked | No | If enabled, action will search among actors. |
|
Search Attack Patterns
|
Checkbox | Checked | No | If enabled, action will search among attack patterns. |
|
Search Campaigns
|
Checkbox | Checked | No | If enabled, action will search campaigns. |
|
Search Courses Of Action
|
Checkbox | Checked | No | If enabled, action will search among courses of action. |
|
Search Identities
|
Checkbox | Checked | No | If enabled, action will search among identities. |
|
Search Incidents
|
Checkbox | Checked | No | If enabled, action will search among incidents. |
|
Search Infrastructures
|
Checkbox | Checked | No | If enabled, action will search among infrastructures. |
|
Search Intrusion Sets
|
Checkbox | Checked | No | If enabled, action will search among intrusion sets. |
|
Search Malware
|
Checkbox | Checked | No | If enabled, action will search among malware. |
|
Search Signatures
|
Checkbox | Checked | No | If enabled, action will search among signatures. |
|
Search Tools
|
Checkbox | Checked | No | If enabled, action will search among tools. |
|
Search TTPs
|
Checkbox | Checked | No | If enabled, action will search among ttps. |
|
Search Vulnerabilities
|
Checkbox | Checked | No | If enabled, action will search among vulnerabilities. |
|
Max Entities To Return
|
Integer | 50 | No | Specify how many entities to return per entity type. |
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
- Email (user entity that matches email regex)
- Threat Actor
- CVE
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
JSON result
{
"{}_hashes.format(subtype)"
:
[
""
],
"all_hashes"
:
[
"md5hash_1"
],
"domains"
:
[
""
]
"urls"
:
[]
"emails"
:
[]
"ips"
:
[]
}
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully retrieved related hashes from Anomali ThreatStream" If no hashes are found (is_success=false): "No related hashes were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Get Related Hashes". Reason: {0}''.format(error.Stacktrace) If the "Confidence Threshold" parameter is not in 0-100 range: "'Confidence Threshold' value should be in range from 0 to 100." |
General |
Ping
Test the connectivity to Anomali ThreatStream.
Parameters
N/A
Run on
This action doesn't run on entities, nor has mandatory input parameters.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the Anomali ThreatStream server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the Anomali ThreatStream server! Error is {0}".format(exception.stacktrace) |
General |
Remove Tags From Entities
Remove tags from entities in Anomali ThreatStream. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Tags
|
CSV | N/A | Yes | Specify a comma-separated list of tags that need to be removed from entities in Anomali ThreatStream. |
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful and at least one tag is removed from one entity (is_success=true): "Successfully removed the following tags from the "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags) If one tag is not found for one entity (is_success=true): "The following tags were already not a part of "{entity.identifier}" entity in Anomali ThreatStream:\n{0}".format(tags) If all tags are not found for one entity (is_success=true): "None of the provided tags were part of "{entity.identifier}" entity in Anomali ThreatStream." If one entity is not found (is_success=true): "The following entities were not found in Anomali ThreatStream\n: {0}".format([entity.identifier]) If all entities are not found (is_success=false): "None of the provided entities were found." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Tags From Entities". Reason: {0}''.format(error.Stacktrace) |
General |
Report As False Positive
Report entities in Anomali ThreatStream as false positive. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
|
Reason
|
String | N/A | Yes | Specify the reason why you want to mark entities as false positives. |
|
Comment
|
String | N/A | Yes | Specify additional information related to your decision regarding marking the entity as false positive. |
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
- Email Address (user entity that matches email regex)
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found (is_success=true): "Successfully reported the following entities as false positive in Anomali ThreatStream:\n{0}".format(entity.identifier list) If fail to mark specific entities (is_success=true): "Action was not able to report the following entities as false positive in Anomali ThreatStream\n: {0}".format([entity.identifier]) If fail to enrich all entities (is_success=false): "No entities were reported as false positive." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Report As False Positive". Reason: {0}''.format(error.Stacktrace) |
General |
Submit Observables
Submit an observable to Anomali ThreatStream based on IP, URL, Hash, Email entities. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).
Where to find trusted circle IDs
To find the ID of a trusted circle, locate the trusted circle on Anomali
ThreatStream, and click its name. The URL displayed in the address bar shows
the ID, such as https://siemplify.threatstream.com/search?trustedcircles=13.
Parameters
Private
Possible values:
- Public
- Private
APT
Possible Values
- APT
- Adware
- Anomalous
- Anomyzation
- Bot
- Brute
- C2
- Compromised
- Crypto
- Data Leakage
- DDOS
- Dynamic DNS
- Exfil
- Exploit
- Fraud
- Hacking Tool
- I2P
- Informational
- Malware
- P2P
- Parked
- Phish
- Scan
- Sinkhole
- Social
- Spam
- Suppress
- Suspicious
- TOR
- VPS
Select One
Possible Values:
- Select One
- Red
- Green
- Amber
- White
Run on
This action runs on the following entities:
- Hash
- IP Address
- URL
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
|
is_success
|
True or False | is_success:False |
JSON result
approved_jobs
=
[
{
"id"
:,
"entity"
:
{
e
nt
i
t
y.ide
nt
i
f
ier
}
}
]
jobs_wi
t
h_excluded_e
nt
i
t
ies
=
[
{
"id"
:,
"entity"
:
{
e
nt
i
t
y.ide
nt
i
f
ier
}
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
|
Output message*
|
The action should not fail nor stop a playbook execution: If successful and at least one hash across entities is found(is_success=true): "Successfully submitted and approved the following entities in Anomali ThreatStream:\n{0}".format(entity.identifier list) If fails to enrich some entities (rejected entities) (is_success=true): "Action was not able to successfully submit and approve the following entities in Anomali ThreatStream\n: {0}".format([entity.identifier]) If fails to enrich for all entities (is_success=false): "No entities were successfully submitted to Anomali ThreatStream." The action should fail and stop a playbook execution: If a fatal error, like wrong credentials, no connection to server, other is reported: "Error executing action "Submit Observables". Reason: {0}''.format(error.Stacktrace) If the 400 status code is reported: "Error executing action "Submit Observables". Reason: {0}''.format(message) |
General |
| |
Link: |
Entity |
Connectors
For more detail about how to configure connectors in Google SecOps, see Ingest your data (connectors) .
Anomali ThreatStream - Observables Connector
Pull observables from Anomali ThreatStream.
Source names are used in the dynamic list.
To find the ID of a trusted circle, locate the trusted circle on Anomali
ThreatStream, and click its name. The URL displayed in the address bar shows
the ID, such as https://siemplify.threatstream.com/search?trustedcircles=13
.
Connector parameters
Use the following parameters to configure the connector:
The name of the field where the product name is stored.
The default value is Product Name
.
The product name primarily impacts mapping. To streamline and improve the mapping process for the connector, the default value resolves to a fallback value that is referenced from the code. Any invalid input for this parameter resolves to a fallback value by default.
The name of the field that determines the event name (subtype).
The name of the field where the environment name is stored.
If the environment field is missing, the connector uses the default value.
Environment Regex Pattern
A regular expression pattern to run on the value found in the Environment Field Name
field. This parameter lets you manipulate
the environment field using the regular expression logic.
Use the default value .*
to retrieve the required raw Environment Field Name
value.
If the regular expression pattern is null or empty, or the environment value is null, the final environment result is the default environment.
Lowest severity that will be used to fetch observables.
Possible values:
- Low
- Medium
- High
- Very-High
100
.515,4129
.Comma-separated list of observable types that should be ingested, such
as URL, domain
.
Possible values: URL
, domain
, email
, hash
, ip
, ipv6
Comma-separated list of observable status that should be used to ingest
new data, such as active,inactive
Possible values: active
, inactive
, falsepos
Comma-separated list of threat types that should be used to ingest
observables, such as adware,anomalous,anonymization,apt
.
Possible values: adware
, anomalous
, anonymization
, apt
, bot
, brute
, c2
, compromised
, crypto
, data_leakage
, ddos
, dyn_dns
, exfil
, exploit
, fraud
, hack_tool
, i2p
, informational
, malware
, p2p
, parked
, phish
, scan
, sinkhole
, spam
, suppress
, suspicious
, tor
, vps
Comma-separated list of trusted circle ids that should be used to ingest
observables, such as 146,147
.
Microsoft Credentials, Phishing
.The number of days prior to today to retrieve the observables.
This parameter can apply to the initial connector iteration after you enable the connector for the first time, or the fallback value for an expired connector timestamp.
Use whitelist as a blacklist
If selected, the connector uses the dynamic list as a blocklist.
Connector rules
The connector supports proxies.
Need more help? Get answers from Community members and Google SecOps professionals.
