Anomali ThreatStream v3

Use Anomali ThreatStream to query and submit threats.

Data Enrichment & Threat Intelligence · Anomali ThreatStream

Configuration parameters

  • url — Server URL (e.g., https://www.test.com) (required)
  • credentials — Username (required)
  • url_threshold — URL threshold
  • ip_threshold — IP threshold
  • domain_threshold — Domain threshold
  • file_threshold — File threshold
  • email_threshold — Email threshold
  • include_inactive — Include inactive results
  • integrationReliability — Source Reliability
  • indicator_default_score — Default DBOT score for indicators with low confidence
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • create_relationships — Create relationships
  • remote_api — Remote API

Commands (42)

  • domain

    Checks the reputation of the given domain name.

  • file

    Checks the reputation of the given hash of the file.

  • ip

    Checks the reputation of the given IP address.

  • threatstream-add-indicator-tag

    Add tags to the indicators.

  • threatstream-add-investigation-element

    Add an element to the existing investigation at ThreatStream.

  • threatstream-add-tag-to-model

    Adds tags to intelligence to filter for related entities.

  • threatstream-add-threat-model-association

    Creates associations between threat model entities on the ThreatStream platform.

  • threatstream-analysis-report

    Returns the report of a file or URL submitted to the sandbox.

  • threatstream-approve-import-job

    Approve all observables in an import job.

  • threatstream-clone-imported-indicator

    Clones already imported indicators (observables), used with the edit classification to move to a trusted circle.

  • threatstream-create-investigation

    Create an investigation at ThreatStream.

  • threatstream-create-model

    Creates a threat model with the specified parameters.

  • threatstream-create-rule

    Create a rule in the ThreatStream platform.

  • threatstream-create-whitelist-entry

    Creates a new whitelist entry.

  • threatstream-delete-investigation

    Deletes an existing investigation at ThreatStream.

  • threatstream-delete-rule

    Delete a rule from ThreatStream.

  • threatstream-delete-whitelist-entry

    Delete a whitelist entry.

  • threatstream-edit-classification

    Edit the values for observable that have been cloned.

  • threatstream-email-reputation

    Checks the reputation of the given email address.

  • threatstream-get-analysis-status

    Returns the current status of the report submitted to the sandbox. The report ID is returned from the threatstream-submit-to-sandbox command.

  • threatstream-get-indicators

    Return filtered indicators from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.

  • threatstream-get-indicators-by-model

    Returns a list of indicators associated with the specified model and ID of the model.

  • threatstream-get-model-description

    Returns an HTML file with a description of the threat model.

  • threatstream-get-model-list

    Returns a list of threat models.

  • threatstream-get-passive-dns

    Returns enrichment data for Domain or IP for available observables.

  • threatstream-import-indicator-with-approval

    Imports indicators (observables) into ThreatStream. The imported data must be approved using the ThreatStream UI. The data can be imported using one of three methods: plain-text, file, or URL. You must have the Approve Import privilege in order to import observables through the API with default_state set to active.

  • threatstream-import-indicator-without-approval

    Imports indicators (observables) into ThreatStream. Approval is not required for the imported data. You must have the Approve Intel user permission to import without approval using the API.

  • threatstream-list-import-job

    Gets an import list.

  • threatstream-list-investigation

    Gets a list of investigations from ThreatStream.

  • threatstream-list-rule

    Gets a list of rules from ThreatStream.

  • threatstream-list-user

    Gets list of users from ThreatStream. Only users with org admin permission can run this command.

  • threatstream-list-whitelist-entry

    Get a list of whitelist entries.

  • threatstream-remove-indicator-tag

    Remove tags from the indicators.

  • threatstream-search-intelligence

    Returns filtered intelligence from ThreatStream. If a query is defined, it overrides all other arguments that were passed to the command.

  • threatstream-search-threat-model

    Retrieve threat model entities from ThreatStream.

  • threatstream-submit-to-sandbox

    Submits a file or URL to the ThreatStream-hosted sandbox for detonation.

  • threatstream-supported-platforms

    Returns a list of supported platforms for default or premium sandbox.

  • threatstream-update-investigation

    Updates an existing investigation at ThreatStream.

  • threatstream-update-model

    Updates a threat model with specific parameters. If one or more optional parameters are defined, the command overrides previous data stored in ThreatStream.

  • threatstream-update-rule

    Updates existing rule from ThreatStream.

  • threatstream-update-whitelist-entry-note

    Modify contextual notes associated with existing whitelist entries.

  • url

    Checks the reputation of the given URL.