Anomali ThreatStream | Marketplace

Details
Content
Dependencies
Version History

Use Anomali ThreatStream to query and submit threats.

Anomali ThreatStream collects global threat data, providing you with the insights you need to determine if an event is a security threat.

What does this pack do?

Checks the reputation of a given URL, IP address, domain name, hash of a file, or email address.
Returns enrichment data for a domain or IP address for available indicators (observables).
Imports indicators (observables) into ThreatStream.
Returns an HTML file with a description of the threat model.
Returns a list of indicators associated with the specified model.
Submits a file or URL to the ThreatStream-hosted sandbox for detonation.
Returns a report of a file or URL submitted to the sandbox.
Returns filtered indicators or intelligence from ThreatStream.
Adds tags to intelligence to filter for related entities.
Creates or updates a threat model with the specified parameters.

This content pack includes 2 playbooks that:

Detonates one or more files. It returns relevant reports to the War Room and file reputations to the context data.
Detonates one or more URLs. It returns relevant reports to the War Room and URL reputations to the context data.

Anomali ThreatStream collects global threat data, providing you with the insights you need to determine if an event is a security threat.

What does this pack do?

Checks the reputation of a given URL, IP address, domain name, hash of a file, or email address.
Returns enrichment data for a domain or IP address for available indicators (observables).
Imports indicators (observables) into ThreatStream.
Returns an HTML file with a description of the threat model.
Returns a list of indicators associated with the specified model.
Submits a file or URL to the ThreatStream-hosted sandbox for detonation.
Returns a report of a file or URL submitted to the sandbox.
Returns filtered indicators or intelligence from ThreatStream.
Adds tags to intelligence to filter for related entities.
Creates or updates a threat model with the specified parameters.

This content pack includes 2 playbooks that:

Detonates one or more files. It returns relevant reports to the War Room and file reputations to the context data.
Detonates one or more URLs. It returns relevant reports to the War Room and URL reputations to the context data.

Automations

Name	Description
ThreatstreamBuildIocImportJson	Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.

Integrations

Name	Description
Anomali ThreatStream v2 (Deprecated)	Deprecated. Use Anomali ThreatStream v3 integration instead.
Anomali ThreatStream v3	Use Anomali ThreatStream to query and submit threats.
Anomali ThreatStream (Deprecated)	Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats

Playbooks

Name	Description
Detonate URL - ThreatStream	Detonates one or more URLs using the Anomali ThreatStream v2 sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.
Detonate File - ThreatStream	Detonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.

Automations

Name	Description
ThreatstreamBuildIocImportJson	Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.

Integrations

Name	Description
Anomali ThreatStream v3	Use Anomali ThreatStream to query and submit threats.
Anomali ThreatStream (Deprecated)	Deprecated. Use Anomali ThreatStream v3 instead. Use Anomali ThreatStream to query and submit threats
Anomali ThreatStream v2 (Deprecated)	Deprecated. Use Anomali ThreatStream v3 integration instead.

Playbooks

Name	Description
Detonate File - ThreatStream	Detonate one or more files using the Anomali ThreatStream v2 integration. This playbook returns relevant reports to the War Room, and file reputations to the context data.
Detonate URL - ThreatStream	Detonates one or more URLs using the Anomali ThreatStream v2 sandbox integration. Returns relevant reports to the War Room and URL reputations to the context data.

Required Content Packs (3)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

Optional Content Packs (0)

Pack Name	Pack By

All level dependencies (6)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.2.17 - 916317 (March 26, 2024)

Scripts

ThreatstreamBuildIocImportJson

Updated the Docker image to: demisto/python3:3.10.14.90585.

Related pull requests:
- 33514
- 33458
- 33455
- 33501
- 33509
- 33490
- 33477
- 33461
- 33365
- 33315
- 33454

Download

2.2.16 - 823153 (February 12, 2024)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.87415.

Related pull requests:
- 32840

Download

2.2.15 - 798475 (February 1, 2024)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.86612.

Related pull requests:
- 32522

Download

2.2.14 - 760302 (January 14, 2024)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.84811.

Related pull requests:
- 32154

Download

2.2.13 - 743135 (January 4, 2024)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.84236.

Related pull requests:
- 31969

Download

2.2.12 - 729445 (January 1, 2024)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.84025.

Related pull requests:
- 31880

Download

2.2.11 - 721233 (December 27, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.83976.

Related pull requests:
- 31814

Download

2.2.10 - 7209615 (December 19, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.83687.

Related pull requests:
- 31553

Download

2.2.9 - 7076512 (December 5, 2023)

Integrations

Anomali ThreatStream v3

Fixed an issue where the threatstream-get-indicators command would not fetch all the indicators.
Updated the Docker image to: demisto/py3-tools:1.0.0.82746.

Related pull requests:
- 31269

Download

2.2.8 - 7066068 (December 4, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.82341.

Related pull requests:
- 31289

Download

2.2.7 - 7029664 (November 30, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.81890.

Related pull requests:
- 31217

Download

2.2.6 - 7012606 (November 28, 2023)

Integrations

Anomali ThreatStream v3

Added a new parameter Default DBOT score for indicators with low Confidence - Toggle between Unknown and Benign.
Updated the Docker image to: demisto/py3-tools:1.0.0.81280.

Related pull requests:
- 30993
- 31151

Download

2.2.5 - 6955725 (November 21, 2023)

Playbooks

Detonate URL - ThreatStream

Fixed an issue where the playbook output listed 'ANYRUN' instead of 'ThreatStream' command output.
Updated the 'URL' playbook input to use 'URL.Data' as the default value.

Related pull requests:
- 30992

Download

2.2.4 - 6944614 (November 20, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.80754.
Improved documentation for the threatstream-import-indicator-without-approval command.

Related pull requests:
- 30976

Download

2.2.3 - 6804257 (November 5, 2023)

Integrations

Anomali ThreatStream v3

Added the remote_api instance configuration, to allow gathering of additional information about the threat model from remote APIs.
Updated the Docker image to: demisto/py3-tools:1.0.0.79870.

Related pull requests:
- 30537
- 30154

Download

2.2.2 - 6636841 (October 18, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.77497.

Related pull requests:
- 30237

Download

2.2.1 - 6608983 (October 15, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.77054.

Related pull requests:
- 30136

Download

2.2.0 - 6453502 (September 28, 2023)

Integrations

Anomali ThreatStream v3

Added 2 commands:
- threatstream-remove-indicator-tag
- threatstream-add-indicator-tag

Related pull requests:
- 29803

Download

2.1.12 - 6437102 (September 27, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.75615.

Related pull requests:
- 29871

Download

2.1.11 - 6259960 (September 7, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.73055.

Related pull requests:
- 29532

Download

2.1.10 - 6117817 (August 22, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.71964.

Related pull requests:
- 29105

Download

2.1.9 - 5969979 (August 6, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.67747.

Related pull requests:
- 28780

Download

2.1.8 - R5866730 (July 25, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.66127.

Related pull requests:
- 28381

Download

2.1.7 - R5801668 (July 18, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.64487.

Related pull requests:
- 27949

Download

2.1.6 - R5692327 (July 5, 2023)

Integrations

Anomali ThreatStream v3

Added the following arguments to the threatstream-import-indicator-with-approval command:
- tags_tlp
- default_state
- expiration_ts
Added the tags_tlp argument to the threatstream-import-indicator-without-approval command.
Updated the Docker image to: demisto/py3-tools:1.0.0.63856.

Related pull requests:
- 27558

Download

2.1.5 - 5527167 (June 14, 2023)

Integrations

Anomali ThreatStream v3

Fixed an issue where the threatstream-submit-to-sandbox command didn't pass the detail argument to the Threatstream API correctly.
Updated the docker image to: demisto/py3-tools:1.0.0.63020.

Related pull requests:
- 27420

Download

2.1.4 - R5450895 (June 5, 2023)

Integrations

Anomali ThreatStream v3

Added the source_confidence_weight argument to the threatstream-import-indicator-with-approval command.
Updated the docker image to: demisto/py3-tools:1.0.0.61931.

Related pull requests:
- 26956

Download

2.1.3 - 5295992 (May 18, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.59406.

Related pull requests:
- 26597

Download

2.1.2 - 5176833 (May 3, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.56465.

Related pull requests:
- 26258

Download

2.1.1 - R5170573 (May 2, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.54695.
Added support for the indicators_json argument in the threatstream-import-indicator-without-approval* command.
Updated the file_id argument in the threatstream-import-indicator-without-approval* command to optional.

Scripts

New: ThreatstreamBuildIocImportJson

Builds A JSON array based on the values provided by the user for the 'threatstream-import-indicator-without-approval' command.

Related pull requests:
- 25911

Download

2.1.0 - 5000567 (April 9, 2023)

Integrations

Anomali ThreatStream v3

Updated the Docker image to: demisto/py3-tools:1.0.0.53611.
Added support for the malware and attack pattern options in the model argument in the following commands:
- threatstream-get-model-list
- threatstream-get-indicators-by-model
Added support for the page and page_size arguments in the following commands:
- threatstream-get-indicators
- threatstream-get-model-list
- threatstream-get-indicators-by-model
Added support for the all_results argument in the following commands:
- threatstream-get-passive-dns
- threatstream-supported-platforms
Added the tags argument to the threatstream-import-indicator-with-approval command.
Added 18 commands:
- threatstream-list-rule
- threatstream-create-rule
- threatstream-update-rule
- threatstream-delete-rule
- threatstream-list-user
- threatstream-list-investigation
- threatstream-create-investigation
- threatstream-update-investigation
- threatstream-delete-investigation
- threatstream-add-investigation-element
- threatstream-list-whitelist-entry
- threatstream-create-whitelist-entry
- threatstream-update-whitelist-entry-note
- threatstream-delete-whitelist-entry
- threatstream-list-import-job
- threatstream-approve-import-job
- threatstream-search-threat-model
- threatstream-add-threat-model-association

Related pull requests:
- 25514

Download

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	June 30, 2020
Last Release	March 26, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.