Spur Enrichment Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.1 |
| Compatible with ThreatQ Versions | >= 5.14.0 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
Spur tracks anonymization services so that you can identify when anonymization services are touching your website, application, or network.
The Spur Enrichment Action enables the automatic enrichment of IP Addresses in ThreatQ using Spur's Context API. The API will tell you if the selected IOCs are used by anonymization services, as well as if the tunnels are used by a specific region, or used by a specific threat.
The integration can perform the following action:
- Spur Enrichment - utilizes Spur's API to enrich an IP Address with context pertaining to whether the IOC is used for tunnels and/or anonymization.
The action is compatible with the following indicator types:
- IP Address
- IPv6 Address
The action returns enriched IP Address and IPv6 Address type indicators.
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A Spur API Key.
- A data collection containing at least one of the following indicator types:
- IP Address
- IPv6 Address
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the action zip file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the action zip file using one of the following methods:
- Drag and drop the zip file into the dialog box
- Select Click to Browse to locate the zip file on your local machine
ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.
You will still need to configure the action.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description Spur Hostname or IP The hostname or IP address for your Spur instance. The default value is api.spur.us.API Key The API Key from the Spur Account Attribute Filter Select the pieces of context to ingest into ThreatQ, from Spur. Options include: - ASN
- AS Organization
- Client Behavior (default)
- Client Concentration Country Code
- Client Concentration City
- Client Concentration State
- Client Proxy (default)
- Client Type (default)
- Infrastructure (default)
- City
- Country Code
- State
- Risk (default)
- Service (default)
- Tunnel Type (default)
- Tunnel Operator (default)
- Is Anonymized (default)
Indicator Filter Select the indicators to ingest into ThreatQ, from Spur. Options include: - Tunnel Entry IPs
- Tunnel Exit IPs (default)
Inherit Attributes to Entry/Exit Tunnels Enable this to inherit enrichment attributes from the original indicator to the tunnel indicators. This parameter is disabled by default. Only Ingest Enrichment for IPs with Risks / Threats Enable this to only ingest enrichment for IPs when they are deemed risky or have threats. This option is enabled by default. Only Ingest Enrichment for IPs from Selected Services (Optional) Enter a line-separated list of services to filter on. If left blank, IPs from all services will be ingested. Objects Per Run The max number of objects per run to send to this action. The default value is 1000. Disable Proxies Enable this option if the action should not honor proxies set in the ThreatQ UI. Enable SSL Verification Enable or Disable Host SSL certificate verification.
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The integration performs the following action:
| action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Spur Enrichment | Fetches contextual information from the Spur API. | Indicator | IP Address, IPv6 Address |
Spur Enrichment
The Spur Enrichment action will use Spur's API to enrich an IP Address with context pertaining to whether the IOC is used for tunnels and/or anonymization. As well as how the tunnel is typically used by threats.
GET https://api.spur.us/v2/context/{{ ip }}
Sample Response:
{
"as": {
"number": 30083,
"organization": "AS-30083-GO-DADDY-COM-LLC"
},
"client": {
"behaviors": ["TOR_PROXY_USER"],
"concentration": {
"city": "Weldon Spring",
"country": "US",
"density": 0.202,
"geohash": "9yz",
"skew": 45,
"state": "Missouri"
},
"count": 14,
"countries": 1,
"proxies": ["LUMINATI_PROXY", "SHIFTER_PROXY"],
"spread": 4941431,
"types": ["MOBILE", "DESKTOP"]
},
"infrastructure": "DATACENTER",
"ip": "148.72.164.186",
"location": {
"city": "St Louis",
"country": "US",
"state": "Missouri"
},
"risks": ["WEB_SCRAPING", "TUNNEL"],
"services": ["IPSEC", "OPENVPN"],
"tunnels": [
{
"anonymous": true,
"entries": ["148.72.164.179"],
"exits": ["148.72.164.177"],
"operator": "NORD_VPN",
"type": "VPN"
}
]
}ThreatQuotient provides the following default mapping for this action:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.as.number |
Indicator.Attribute | ASN | N/A | 30083 | N/A |
.as.organization |
Indicator.Attribute | AS Organization | N/A | AS-30083-GO-DADDY-COM-LLC |
N/A |
.client.behaviors[] |
Indicator.Attribute | Client Behavior | N/A | TOR_PROXY_USER |
N/A |
.client.concentration.city |
Indicator.Attribute | Client Concentration City | N/A | Weldon Spring |
N/A |
.client.concentration.country |
Indicator.Attribute | Client Concentration Country Code | N/A | US |
N/A |
.client.concentration.state |
Indicator.Attribute | Client Concentration State | N/A | Missouri |
N/A |
.client.proxies[] |
Indicator.Attribute | Client Proxy | N/A | SHIFTER_PROXY |
N/A |
.client.types[] |
Indicator.Attribute | Client Type | N/A | DESKTOP |
N/A |
.infrastructure |
Indicator.Attribute | Infrastructure | N/A | DATACENTER |
N/A |
.location.city |
Indicator.Attribute | City | N/A | St Louis |
N/A |
.location.country |
Indicator.Attribute | Country Code | N/A | US |
N/A |
.location.state |
Indicator.Attribute | State | N/A | Missouri |
N/A |
.risks[] |
Indicator.Attribute | Risk | N/A | WEB_SCRAPING |
N/A |
.services[] |
Indicator.Attribute | Service | N/A | IPSEC |
N/A |
.tunnels[].operator |
Indicator.Attribute | Tunnel Operator | N/A | NORD_VPN |
N/A |
.tunnels[].type |
Indicator.Attribute | Tunnel Type | N/A | VPN |
N/A |
.tunnels[].entries[] |
Indicator.Value | IP Address | N/A | N/A | N/A |
.tunnels[].exits[] |
Indicator.Value | IP Address | N/A | N/A | N/A |
.tunnels[].anonymous |
Indicator.Attribute | Is Anonymized | N/A | True |
N/A |
| N/A | Indicator.Attribute | Node Type | N/A | Entry |
Entryif the IP is in .tunnels[]. Exit if the IP is in.tunnels[].exits[]
|
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Indicators | 225 |
| Indicator Attributes | 782 |
Use Case Example
- A Threat Analyst wants to identify when anonymized services (VPNs and Proxies) are contacting the network infrastructure and take action when the activity is a known threat.
- The Threat Analyst creates a collection of Indicators that have the type IP Address or IPv6 Address.
- The Threat Analyst adds the Spur Enrichment action to a Workflow.
- The Threat Analyst configures the action with the desired parameters, and enables the Workflow.
- The action will enrich the indicators with information that indicates if they are used by anonymization services.
Known Issues / Limitations
- When the action is run on a unnormalized IPv6 Address ,a new indicator with the normalized value will be created and enriched. The original indicator will not be enriched.
Change Log
- Version 1.0.1
- Added the following configurations parameters:
- Spur Hostname or IP - allows you to specify the hostname or IP of your Spur instance.
- Disable Proxies - enable this option if the action should not honor proxies set in the ThreatQ UI.
- Enable SSL Verification - enable or Disable Host SSL certificate verification.
- Added the following configurations parameters:
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Spur Enrichment Action Guide v1.0.1 | 5.14.0 or Greater |
| Spur Enrichment Action Guide v1.0.0 | 5.14.0 or Greater |