Secureworks Attacker Database CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.21.1 |
| Support Tier | ThreatQ Supported |
Introduction
The SecureWorks Attacker DB Connector installs two feeds and ingests threat intelligence data from the Secureworks Attacker Database. The two feeds installed are:
- SecureWorks AttackerDB Domain
- SecureWorks AttackerDB IP
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description SecureWorks Token Your SecureWorks token. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
SecureWorks Attacker DB IP
Sample Response:
"WatchList","HostAddress","ReasonAdded","MemberSince","Latitude","Longitude","CountryCode","Location"
"CTU IP Coal Blacklist","23.227.197.130","Potential Kovter Trojan Variant POST Outbound","2018-03-17T06:37:24Z","41.8466","-87.7172","US","Chicago, United States"
"CTU IP Coal Blacklist","79.175.102.12","TrickBot Malware SSL Certificate - Inbound","2018-04-19T06:37:07Z","44.833","20.5","RS","Belgrade, Serbia"
"CTU IP Coal Blacklist","104.243.42.22","Potential Kovter Trojan Variant POST Outbound","2018-04-14T06:46:09Z","40.5527","-74.4582","US","Piscataway, United States"
"CTU IP Coal Blacklist","108.61.18.118","Potential Kovter Trojan Variant POST Outbound","2018-04-19T06:37:07Z","40.5527","-74.4582","US","Piscataway, United States"ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples |
|---|---|---|---|
| (first token) | Attribute | WatchList | CTU IP Coal Blacklist |
| 2 (second token) | Indicator | HostAddress | 23.227.197.130 |
| 3 (third token) | Attribute | ReasonAdded | TrickBot Malware SSL Certificate - Inbound |
| 4 (forth token) | Indicator | MemberSince | 2018-03-17T06:37:24Z |
| 5 (fifth token) | Attribute | Latitude | 41.8466 |
| 6 (sixth token) | Attribute Attribute | Longitude | -87.7172 |
| 7 (seventh token) | Attribute | CountryCode | US |
| 8 (eighth token) | Attribute | Location | Chicago, United States |
SecureWorks Attacker DB Domain
Sample Response:
"WatchList","HostAddress","ReasonAdded","MemberSince"
"CTU Domain Coal Blacklist","blacklist-test.secureworks.com","Test - Dell SecureWorks AttackerDB Customer Test Event (non-malicious)","2017-06-14T20:26:01Z",
"CTU Domain Coal Blacklist","differentia.ru","Gamarue Andromeda Trojan Phone Home","2018-02-17T05:30:10Z",
"CTU Domain Coal Blacklist","differentia.ru","Gamarue Andromeda Trojan Phone Home","2018-02-17T05:30:10Z",
"CTU Domain Coal Blacklist","disorderstatus.ru","Gamarue Andromeda Trojan Phone Home","2018-02-17T05:30:10Z",
"CTU Domain Coal Blacklist","disorderstatus.ru","Gamarue Andromeda Trojan Phone Home","2018-02-17T05:30:10Z",ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples |
|---|---|---|---|
| 1 (first token) | Attribute | WatchList | CTU IP Coal Blacklist |
| 2 (second token) | Indicator | HostAddress | blacklist-test.secureworks.com |
| 3 (third token) | Attribute | ReasonAdded | Gamarue Andromeda Trojan Phone Home |
| 4 (forth token) | Indicator | MemberSince | 2018-02-17T05:30:10Z |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| SecureWorks AttackerDB CDF Guide v1.0.0 | 4.21.0 or Greater |