Anomali ThreatStream v3
Use Anomali ThreatStream to query and submit threats.
Data Enrichment & Threat Intelligence · Anomali ThreatStream
Configuration parameters
url— Server URL (e.g., https://www.test.com) (required)credentials— Username (required)url_threshold— URL thresholdip_threshold— IP thresholddomain_threshold— Domain thresholdfile_threshold— File thresholdemail_threshold— Email thresholdinclude_inactive— Include inactive resultsintegrationReliability— Source Reliabilityindicator_default_score— Default DBOT score for indicators with low confidenceinsecure— Trust any certificate (not secure)proxy— Use system proxy settingscreate_relationships— Create relationshipsremote_api— Remote API
Commands (42)
-
domainChecks the reputation of the given domain name.
-
fileChecks the reputation of the given hash of the file.
-
ipChecks the reputation of the given IP address.
-
threatstream-add-indicator-tagAdd tags to the indicators.
-
threatstream-add-investigation-elementAdd an element to the existing investigation at ThreatStream.
-
threatstream-add-tag-to-modelAdds tags to intelligence to filter for related entities.
-
threatstream-add-threat-model-associationCreates associations between threat model entities on the ThreatStream platform.
-
threatstream-analysis-reportReturns the report of a file or URL submitted to the sandbox.
-
threatstream-approve-import-jobApprove all observables in an import job.
-
threatstream-clone-imported-indicatorClones already imported indicators (observables), used with the edit classification to move to a trusted circle.
-
threatstream-create-investigationCreate an investigation at ThreatStream.
-
threatstream-create-modelCreates a threat model with the specified parameters.
-
threatstream-create-ruleCreate a rule in the ThreatStream platform.
-
threatstream-create-whitelist-entryCreates a new whitelist entry.
-
threatstream-delete-investigationDeletes an existing investigation at ThreatStream.
-
threatstream-delete-ruleDelete a rule from ThreatStream.
-
threatstream-delete-whitelist-entryDelete a whitelist entry.
-
threatstream-edit-classificationEdit the values for observable that have been cloned.
-
threatstream-email-reputationChecks the reputation of the given email address.
-
threatstream-get-analysis-statusReturns the current status of the report submitted to the sandbox. The report ID is returned from the threatstream-submit-to-sandbox command.
-
threatstream-get-indicatorsReturn filtered indicators from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.
-
threatstream-get-indicators-by-modelReturns a list of indicators associated with the specified model and ID of the model.
-
threatstream-get-model-descriptionReturns an HTML file with a description of the threat model.
-
threatstream-get-model-listReturns a list of threat models.
-
threatstream-get-passive-dnsReturns enrichment data for Domain or IP for available observables.
-
threatstream-import-indicator-with-approvalImports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. You must have the Approve Import privilege in order to import observables through the API with default_state set to active.
-
threatstream-import-indicator-without-approvalImports indicators (observables) into ThreatStream. Approval is not required for the imported data. You must have the Approve Intel user permission to import without approval using the API.
-
threatstream-list-import-jobGets an import list.
-
threatstream-list-investigationGets a list of investigations from ThreatStream.
-
threatstream-list-ruleGets a list of rules from ThreatStream.
-
threatstream-list-userGets list of users from ThreatStream. Only users with org admin permission can run this command.
-
threatstream-list-whitelist-entryGet a list of whitelist entries.
-
threatstream-remove-indicator-tagRemove tags from the indicators.
-
threatstream-search-intelligenceReturns filtered intelligence from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.
-
threatstream-search-threat-modelRetrieve threat model entities from ThreatStream.
-
threatstream-submit-to-sandboxSubmits a file or URL to the ThreatStream-hosted sandbox for detonation.
-
threatstream-supported-platformsReturns a list of supported platforms for default or premium sandbox.
-
threatstream-update-investigationUpdates an existing investigation at ThreatStream.
-
threatstream-update-modelUpdates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.
-
threatstream-update-ruleUpdates existing rule from ThreatStream.
-
threatstream-update-whitelist-entry-noteModify contextual notes associated with existing whitelist entries.
-
urlChecks the reputation of the given URL.