ThreatConnect
Integration version: 11.0
Configure ThreatConnect to work with Google Security Operations
Organization Settings: Membership
To obtain your API Access ID, Secret Key, and set up a Default API Organization, first you'll have to add an API user in the organization. These configurations are to be found in Settings > Org Settingsin your ThreatConnect Interface.
Creating an API User
- Click the Create API Userbutton on the Membershiptab of the Organization Settingsscreen.
-
Fill in the following fields in order to create and configure the API user account:
- First Name:Enter the API user's first name.
- Last Name:Enter the API user's last name.
- Include in Observations and False Positives:Check this box to allow data provided by the API user to be included in observation and false-positive counts. See Reporting False Positives for more information.
- Disabled:Click the checkbox to disable an API user's account in the event that the Administrator wishes to retain log integrity when the API user no longer requires ThreatConnect access.
-
Record the Secret Key, as it will not be accessible after the window is closed.
-
Click the SAVEbutton to create the API user account.
Configure ThreatConnect integration in Google SecOps
For detailed instructions on how to configure an integration in Google SecOps, see Configure integrations .
Actions
Enrich Entities
Description
Enrich IP addresses, hosts, URLs, and hashes with information from ThreatConnect.
Parameters
| Parameter | Type | Default Value | Description |
|---|---|---|---|
|
Owner Name
|
String | N/A | Owner name to fetch the data from. |
Run On
This action runs on the following entities:
- IP Address
- Filehash
- URL
- Hostname
Action Results
Entity Enrichment
| Enrichment Field Name | Logic - When to apply |
|---|---|
| securityLabels | Returns if it exists in JSON result |
| owners | Returns if it exists in JSON result |
| victims | Returns if it exists in JSON result |
| tags | Returns if it exists in JSON result |
| general | Returns if it exists in JSON result |
| observations | Returns if it exists in JSON result |
| groups | Returns if it exists in JSON result |
| indicators | Returns if it exists in JSON result |
| attributes | Returns if it exists in JSON result |
| observationCount | Returns if it exists in JSON result |
| victimAsset | Returns if it exists in JSON result |
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_enriched
|
True/False | is_enriched:False |
JSON Result
[
{
"EntityResult"
:
{
"securityLabels"
:
{
"securityLabel"
:
[],
"resultCount"
:
0
},
"owners"
:
{
"owner"
:
[{
"type"
:
"Organization"
,
"id"
:
440
,
"name"
:
"S"
}]},
"victims"
:
{
"resultCount"
:
0
,
"victim"
:
[]
},
"tags"
:
[
"C2"
,
"Malware"
],
"general"
:
{
"url"
:
{
"rating"
:
5.0
,
"confidence"
:
100
,
"dateAdded"
:
"2018-01-09T20: 12: 11Z"
,
"description"
:
"URLAssociatedwithCryptoLockerC2Servers"
,
"threatAssessConfidence"
:
93.33
,
"lastModified"
:
"2018-01-09T20: 13: 24Z"
,
"threatAssessRating"
:
4.33
,
"webLink"
:
"https: //sandbox.threatconnect.com/auth/indicators/details/url.xhtml?orgid=43743075&owner=S"
,
"text"
:
"http: //markossolomon.com/f1q7qx.php"
,
"owner"
:
{
"type"
:
"Organization"
,
"id"
:
440
,
"name"
:
"S"
},
"id"
:
43743075
}},
"observations"
:
{
"resultCount"
:
0
,
"observation"
:
[]
},
"groups"
:
null
,
"indicators"
:
{
"indicator"
:
[],
"resultCount"
:
0
},
"attributes"
:
{
"Description"
:
[
"URLAssociatedwithCryptoLockerC2Servers"
]
},
"observationCount"
:
{
"observationCount"
:
{
"count"
:
0
}},
"victimAssets"
:
{
"victimAsset"
:
[],
"resultCount"
:
0
}},
"Entity"
:
"HTTP: //MARKOSSOLOMON.COM/F1Q7QX.PHP"
}
]
Ping
Description
Test Connectivity.
Parameters
N/A
Run On
This action runs on all entities.
Action Results
Entity Enrichment
N/A
Insights
N/A
Script Result
| Script Result Name | Value Options | Example |
|---|---|---|
|
is_success
|
True/False | is_success:False |
JSON Result
N/A
Need more help? Get answers from Community members and Google SecOps professionals.
