Anomali ThreatStream SOAR Integration¶
This document details the tools provided by the Anomali ThreatStream SOAR integration.
Tools¶
anomali_threat_stream_ping¶
Test connectivity to the Anomali ThreatStream with parameters provided at the integration configuration page on the Marketplace tab.
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.target_entities(List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default=“All entities”): Defines the scope for the action.
anomali_threat_stream_report_as_false_positive¶
Report entities in Anomali ThreatStream as false positive. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.reason(str, required): Specify the reason why you want to mark entities as false positives.comment(str, required): Specify additional information related to your decision regarding marking the entity as false positive.target_entities(List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default=“All entities”): Defines the scope for the action.
anomali_threat_stream_submit_observables¶
Submit an observable to Anomali ThreatStream based on IP, URL, Hash, Email entities. Note: requires “Org admin”, “Create Anomali Community Intel” and “Approve Intel” permissions. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex).
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.classification(List[str], required): Specify the classification of the observable.threat_type(List[str], required): Specify the threat type of the observables.source(Optional[str], optional, default=None): Specify the intelligence source for the observable.expiration_date(Optional[str], optional, default=None): Specify the expiration date in days for the observable. If nothing is specified here, action will create an observable that will never expire.trusted_circle_i_ds(Optional[str], optional, default=None): Specify the comma-separated list of trusted circle ids. Observables will be shared with those trusted circles.tlp(Optional[List[str]], optional, default=None): Specify the TLP for your observables.confidence(Optional[str], optional, default=None): Specify what should be the confidence for the observable. Note: this parameter will only work, if you create observables in your organization and requires ‘Override System Confidence’ to be enabled.override_system_confidence(Optional[bool], optional, default=None): If enabled, created observables will have the confidence specified in the ‘Confidence’ parameter. Note: you can’t share observables in trusted circles and publicly, when this parameter is enabled.anonymous_submission(Optional[bool], optional, default=None): If enabled, action will make an anonymous submission.tags(Optional[str], optional, default=None): Specify a comma-separated list of tags that you want to add to observable.target_entities(List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default=“All entities”): Defines the scope for the action.
anomali_threat_stream_enrich_entities¶
Retrieve information about entities from Anomali ThreatStream. Supported entities: Hash, URL, IP Address, Email Address (user entity that matches email regex), Hostname, Domain.
Parameters:
case_id(str, required): The ID of the case.alert_group_identifiers(List[str], required): Identifiers for the alert groups.severity_threshold(List[str], required): Specify what should be the severity threshold for the entity, in order to mark it as suspicious. If multiple records are found for the same entity, action will take the highest severity out of all available records.confidence_threshold(str, required): Specify what should be the confidence threshold for the entity, in order to mark it as suspicious. Note: Maximum is 100. If multiple records are found for the entity, action will take the average. Active records have priority.create_insight(bool, required): If enabled, action will add an insight per processed entity.only_suspicious_entity_insight(bool, required): If enabled, action will create insight only for entities that exceeded the “Severity Threshold” and “Confidence Threshold”.ignore_false_positive_status(Optional[bool], optional, default=None): If enabled, action will ignore the false positive status and mark the entity as suspicious based on the “Severity Threshold” and “Confidence Threshold”. If disabled, action will never label false positive entities as suspicious, regardless, if they pass the “Severity Threshold” and “Confidence Threshold” conditions or not.add_threat_type_to_case(Optional[bool], optional, default=None): If enabled, action will add threat types of the entity from all records as tags to the case. Example: apttarget_entities(List[TargetEntity], optional, default=[]): Optional list of specific target entities (Identifier, EntityType) to run the action on.scope(str, optional, default=“All entities”): Defines the scope for the action.