Current ThreatQ Version Filter

Palo Alto Unit 42 Reports CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.35.0

Support Tier

ThreatQ Supported

Introduction

The Palo Alto Unit 42 Reports CDF for ThreatQ enables an analyst to automatically ingest OSINT intelligence published by Palo Alto Networks.

The integration provides the following feed:

Palo Alto Unit 42 Reports - ingests Reports, Campaigns, Attack Patterns, Indicators, Signatures and Courses of Action.

The integration ingests the following system objects:

Reports
Campaigns
Attack Patterns
Indicators
Signatures
Courses of Action

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
GitHub Username	Optional - Your GitHub username.
GitHub Personal Access Token	Optional - Your GitHub username.
The public API only allows 60 request per hour. Using your GitHub username and access token will increase that value to 5,000 per hour.

Palo Alto Unit 42 Reports Configuration Screen

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Palo Alto Unit 42 Reports

The Palo Alto Unit 42 Reports feed automatically pulls public STIX reports from the Palo Alto Unit 42 GitHub Repository.

GET https://api.github.com/repos/pan-unit42/iocs/contents/stix2-reports/report_json

Sample Response:

[
  {
    "name": "CodeCov_Breach.json",
    "path": "stix2-reports/report_json/CodeCov_Breach.json",
    "sha": "4167ae1042f55117e3b914527be5865626f27c5c",
    "size": 26793,
    "url": "https://api.github.com/repos/pan-unit42/iocs/contents/stix2-reports/report_json/CodeCov_Breach.json?ref=master",
    "html_url": "https://github.com/pan-unit42/iocs/blob/master/stix2-reports/report_json/CodeCov_Breach.json",
    "git_url": "https://api.github.com/repos/pan-unit42/iocs/git/blobs/4167ae1042f55117e3b914527be5865626f27c5c",
    "download_url": "https://raw.githubusercontent.com/pan-unit42/iocs/master/stix2-reports/report_json/CodeCov_Breach.json",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/pan-unit42/iocs/contents/stix2-reports/report_json/CodeCov_Breach.json?ref=master",
      "git": "https://api.github.com/repos/pan-unit42/iocs/git/blobs/4167ae1042f55117e3b914527be5865626f27c5c",
      "html": "https://github.com/pan-unit42/iocs/blob/master/stix2-reports/report_json/CodeCov_Breach.json"
    }
  },
  {
    "name": "Defray777_TA.json",
    "path": "stix2-reports/report_json/Defray777_TA.json",
    "sha": "52cc89146040292b17a9a1d740ba6c1f4da710f0",
    "size": 86057,
    "url": "https://api.github.com/repos/pan-unit42/iocs/contents/stix2-reports/report_json/Defray777_TA.json?ref=master",
    "html_url": "https://github.com/pan-unit42/iocs/blob/master/stix2-reports/report_json/Defray777_TA.json",
    "git_url": "https://api.github.com/repos/pan-unit42/iocs/git/blobs/52cc89146040292b17a9a1d740ba6c1f4da710f0",
    "download_url": "https://raw.githubusercontent.com/pan-unit42/iocs/master/stix2-reports/report_json/Defray777_TA.json",
    "type": "file",
    "_links": {
      "self": "https://api.github.com/repos/pan-unit42/iocs/contents/stix2-reports/report_json/Defray777_TA.json?ref=master",
      "git": "https://api.github.com/repos/pan-unit42/iocs/git/blobs/52cc89146040292b17a9a1d740ba6c1f4da710f0",
      "html": "https://github.com/pan-unit42/iocs/blob/master/stix2-reports/report_json/Defray777_TA.json"
    }
  }
]

Each JSON file in the response is passed to ThreatQ's STIX parser, and the results are passed directly to the API. As such, there are no custom mappings for this feed.

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric	Result
Run Time	3 minutes
Attack Patterns	88
Attack Pattern Attributes	1,830
Campaigns	11
Campaign Attributes	11
Courses Of Action	69
Course Of Action Attributes	69
Indicators	1,663
Indicator Attributes	5,190
Reports	25
Report Attributes	75
Signatures	1,670
Signature Attributes	5,013

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Palo Alto Unit 42 Reports CDF v1.0.0	4.35.0 or Greater