IBM X-Force Exchange Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.1 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
IBM X-Force Exchange is a cloud-based threat intelligence platform that allows you to consume, share and act on threat intelligence. It enables you to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.
The IBM X-Force Exchange operation provides Data Enrichment of indicators of compromise via the X-Force Exchange.
The operation provides the following actions:
- IP Report - provides a summary of reputation information about an IP address.
- Malware For IP - looks up malware associated with an IP Address.
- URL Report - provides a summary of reputation information about a URL or FQDN.
- Malware for URL - provides Malware listings associated with a URL or FQDN.
- Malware for File Hash - provides a summary reputation report for MD5, SHA1, SHA256.
- Vulnerability Report - returns information about a CVE.
- WHOIS - returns WHOIS information for an IP or FQDN.
The operation is compatible with the following indicator types:
- CVE
- FQDN
- IP Address
- SHA-1
- SHA-256
- URL
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API Key Your X-Force Exchange API Key to be used in HTTP headers for accessing feed data. API Password Your X-Force Exchange API Password to be used in HTTP headers for accessing feed data. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| IP Report | Provides a summary of reputation information about an IP address. | Indicator | IP Address |
| Malware For IP | Looks up malware associated with an IP Address. | Indicator | IP Address |
| URL Report | Provides a summary of reputation information about a URL or FQDN. | Indicator | URL, FQDN |
| Malware For URL | Provides Malware listings associated with a URL or FQDN. | Indicator | URL, FQDN |
| Malware for File Hash | Provides a summary reputation report for MD5, SHA1, SHA256. | Indicator | MD5, SHA1, SHA256 |
| Vulnerability Report | Returns information about a CVE. | Indicator | CVE |
| WHOIS | Returns WHOIS information for an IP or FQDN. | Indicator | IP Address, FQDN |
IP Report
The IP Report action provides a summary of reputation information about an IP address.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .geo.countrycode | Indicator.Attribute | Country Code | US | N/A |
| .geo.country | Indicator.Attribute | Country | United States | N/A |
| .reason | Indicator.Attribute | X-Force Reason | One of the five RIRs announced a (new) location mapping of the IP. | N/A |
| .score | Indicator.Attribute | X-Force Score | 1 | N/A |
| .cats | Indicator.Attribute | X-Force Exchange Category | N/A | Extracted from the mapping's keys |
| .tags[].date | Indicator.Attribute | Date of Report | N/A | N/A |
| .subnets[].subnet | RelatedIndicator.Value | CIDR Block | 8.8.8.0/24 | N/A |
| .subnets[].score | RelatedIndicator.Attribute | X-Force Exchange Score | 1 | N/A |
| .subnets[].geo.countrycode | RelatedIndicator.Attribute | Country Code | US | N/A |
| .subnets[].geo.country | RelatedIndicator.Attribute | Country | United States | N/A |
Malware for IP
The Malware for IP action looks up malware associated with an IP Address.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .malware[].family | Indicator.Attribute | Malware Family | Spam Zero-Day | N/A |
| .malware[].domain | RelatedIndicator.Value | FQDN | soneramail.nl | N/A |
| .malware[].md5 | RelatedIndicator.Value | MD5 | 256001D33DA5A13B1AD2E2322CE0B19E | N/A |
| .malware[].firstseen | RelatedIndicator.Attribute | First Seen Date | 2015-10-26T16:15:00Z | N/A |
URL Report
The URL Report action provides a summary of reputation information about a URL or FQDN.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .result.score | Indicator.Attribute | X-Force Exchange Score | 1 | N/A |
| .result.cats | Indicator.Attribute | X-Force Exchange Category | Software / Hardware | Extracted from the mapping's keys |
| .result.application.riskfactors | Indicator.Attribute | Risk Factor | Insecure communication | Extracted from the mapping's keys |
| .result.application.name | Indicator.Attribute | Application Name | IBM Kenexa CompAnalyst | N/A |
| .result.application.urls | RelatedIndicator.Value | URL | https://ibm.com | N/A |
| .result.application.urls | RelatedIndicator.Value | FQDN | ibm.com | N/A |
| .result.application.baseurl | RelatedIndicator.Value | URL | http://01.ibm.com/software/smarterwork force/compensation_divestiture |
N/A |
Malware for URL
The Malware for URL action provides Malware listings associated with a URL or FQDN.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .malware[].type | Indicator.Attribute | Malware Type | SPM | N/A |
| .malware[].md5 | RelatedIndicator.Value | MD5 | 3018E99857F31A59E0777396AE634A8F | N/A |
| .malware[].domain | RelatedIndicator.Value | FQDN | ibm.com | N/A |
| .malware[].uri | RelatedIndicator.Value | URL | 34835856.zip | N/A |
| .malware[].ip | RelatedIndicator.Value | IP Address | 87.235.177.251 | N/A |
Malware for File Hash
The Malware for File Hash action provides a summary reputation report for MD5, SHA1, SHA256.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .malware.created | Indicator.Attribute | Created Date | 2014-10-20T23:19:00Z | N/A |
| .malware.risk | Indicator.Attribute | Risk | high | N/A |
| .malware.origins.external.family | Indicator.Attribute | Malware Family | generic | N/A |
| .malware.family | Indicator.Attribute | Malware Family | tsunami | N/A |
| .malware.origins.CnCServers.rows.md5 | RelatedIndicator.Value | MD5 | 3018E99857F31A59E07 77396AE634A8F |
Added with attribute Origin = CnCServers |
| .malware.origins.CnCServers.rows.domain | RelatedIndicator.Value | FQDN | pc-guard.net | Added with attribute Origin = CnCServers |
| .malware.origins.CnCServers.rows.ip | RelatedIndicator.Value | IP Address | 61.255.239.86 | Added with attribute Origin = CnCServers |
| .malware.origins.CnCServers.rows.uri | RelatedIndicator.Value | URL | http://pc-guard.net/v.html | Added with attribute Origin = CnCServers |
| .malware.origins.downloadServers.rows.md5 | RelatedIndicator.Value | MD5 | 3018E99857F31A59E07 77396AE634A8F |
Added with attribute Origin = Download Servers |
| .malware.origins.downloadServers.rows.domain | RelatedIndicator.Value | FQDN | pc-guard.net | Added with attribute Origin = Download Servers |
| .malware.origins.downloadServers.rows.ip | RelatedIndicator.Value | IP Address | 61.255.239.86 | Added with attribute Origin = Download Servers |
| .malware.origins.downloadServers.rows.uri | RelatedIndicator.Value | URL | http://pc-guard.net/v.html | Added with attribute Origin = Download Servers |
| .malware.origins.emails.rows.md5 | RelatedIndicator.Value | MD5 | 3018E99857F31A59E07 77396AE634A8F |
Added with attribute Origin = Email |
| .malware.origins.emails.rows.domain | RelatedIndicator.Value | FQDN | pc-guard.net | Added with attribute Origin = Email |
| .malware.origins.emails.rows.ip | RelatedIndicator.Value | IP Address | 61.255.239.86 | Added with attribute Origin = Email |
| .malware.origins.emails.rows.uri | RelatedIndicator.Value | URL | http://pc-guard.net/v.html | Added with attribute Origin = Email |
| .malware.origins.subjects.rows.md5 | RelatedIndicator.Value | MD5 | 3018E99857F31A59E077 7396AE634A8F |
Added with attribute Origin = Subject |
| .malware.origins.subjects.rows.domain | RelatedIndicator.Value | FQDN | pc-guard.net | Added with attribute Origin = Subject |
| .malware.origins.subjects.rows.ip | RelatedIndicator.Value | IP Address | 61.255.239.86 | Added with attribute Origin = Subject |
| .malware.origins.subjects.rows.uri | RelatedIndicator.Value | URL | http://pc-guard.net/v.html | Added with attribute Origin = Subject |
Vulnerability Report
The Vulnerability Report action returns information about a CVE.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .[].values() | Indicator.Attribute | [].keys() | Denial of Service | The Attribute Key is the value that it's on '[].keys()'. Ex: Consequences |
| .[].cvss.values() | Indicator.Attribute | CVSS + []cvss.keys() | Low | The Attribute Key is 'CVSS' appending the value that it's on '[]cvss.keys()'. Ex: CVSS Access Complexity |
| .[].platforms_affected[] | Indicator.Attribute | Platforms Affected | HP Integrated Lights-Out 2 (iLO2) 2.23 | N/A |
| .[].references[].link_target | Indicator.Attribute | Vulnerability Link | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2601 | N/A |
WHOIS
The WHOIS action returns WHOIS information for an IP or FQDN.
ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| extended.createdDate | Indicator.Attribute | Created Date | 1986-03-19T00:00:00.000Z | N/A |
| .extended.expiresDate | Indicator.Attribute | Expires Date | 2021-03-20T04:00:00.000Z | N/A |
| .extended.contact.values() | Indicator.Attribute | extended.contact.keys() | IBM DNS Admin | The Attribute Key is the value that it's on 'extended.contact.keys()'. Ex: Name |
| .extended.contactEmail | RelatedIndicator.Value | Email Address | dnsadm@us.ibm.com | N/A |
| .extended.registrarName | RelatedIndicator.Attribute | Registrar Name | CSC CORPORATE DOMAINS, INC. | N/A |
Change Log
- Version 1.1.1
- Correct/Enhance error handling
- Version 1.1.0
- Restructuring the operation
- Version 1.0.1
- Fix the issue with Malware Family
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| IBM X-Force Exchange Operation Guide v1.1.1 | 4.34.0 or Greater |