abuse.ch ThreatFox Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.2 |
| Compatible with ThreatQ Versions | >= 5.14.1 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The abuse.ch ThreatFox Action submits a collection of indicators to the abuse.ch ThreatFox API in the form of individual HTTP requests. The returning response will provide additional contextual information for every indicator submitted.
The action can perform the following function:
- abuse.ch ThreatFox - enriches supported objects with attributes and related objects describing the IOC.
The action is compatible with the following indicator types:
- MD5
- SHA-1
- SHA-256
- FQDN
- IP
- URL
- Email Address
The action returns the following enriched system objects:
- Indicators
- Malware
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A data collection containing at least one of the following indicator types:
- MD5
- SHA-1
- SHA-256
- FQDN
- IP
- URL
- Email Address
- Abuse.ch ThreatFox API key.
Installation
This action can be installed in the My Integration section of your ThreatQ instance. See the Installing an Action topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description Auth Key Enter your abuse.ch authentication key. Enable SSL Certificate Verification Enable this for the feed to validate the host-provided SSL certificate. Disable Proxies Enable this option if the feed should not honor proxies set in the ThreatQ UI. Supporting Context Select the context you want to ingest into ThreatQ. Options include: - Threat Type (default)
- Threat Type Description
- Related Malware (default)
- Related Malware (default) Samples (Hashes)
- Malware Aliases (default)
- Malware Identifier (i.e. "win.asyncrat")
- Malware Malpedia Reference (External Reference)
- abuse.ch Reference (External Reference)
- Confidence Level (default)
- First Seen
- Last Seen
- Reporter
- Tags (default)
Objects Per Run The maximum number of objects to send to this action, per run. The maximum value for this parameter is 50,000.
- Review any additional settings, make any changes if needed, and click on Save.
Action Functions
The action provides the following function:
| Function | Description | Object Type | Object Subtype |
|---|---|---|---|
| abuse_ch ThreatFox | Queries ThreatFox API for context | Indicators | MD5, SHA-1, SHA-256, FQDN, IP, URL, Email Address |
abuse_ch ThreatFox
The abuse_ch ThreatFox function enriches supported indicators by using the ThreatFox API.
POST https://threatfox-api.abuse.ch/api/v1/
Sample Body:
{
"query": "search_ioc",
"search_term": "<ioc_value>"
}
Sample Response:
{
"query_status": "ok",
"data": [
{
"id": "1035527",
"ioc": "https://xoopscube.xyz/vema/index.php?QBOT.zip",
"threat_type": "payload_delivery",
"threat_type_desc": "Indicator that identifies a malware distribution server (payload delivery)",
"ioc_type": "url",
"ioc_type_desc": "URL that delivers a malware payload",
"malware": "win.qakbot",
"malware_printable": "QakBot",
"malware_alias": "Oakboat,Pinkslipbot,Qbot,Quakbot",
"malware_malpedia": "https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot",
"confidence_level": 100,
"first_seen": "2022-12-07 18:58:08 UTC",
"last_seen": null,
"reference": null,
"reporter": "Cryptolaemus1",
"tags": [
"BB09",
"QakBot",
"qbot",
"Quakbot",
"TR",
"U12",
"vhd",
"zip"
],
"malware_samples": []
}
]
}ThreatQuotient provides the following default mapping for this function:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.data[].malware_printable |
malware.value | n/a | .data[].first_seen | QakBot |
If enabled |
.data[].malware_alias |
malware.attribute | Alias | .data[].first_seen | [Oakboat, Pinkslipbot, Qbot, Quakbot] |
If enabled |
.data[].malware_malpedia |
malware.attribute | External Reference | .data[].first_seen | https://malpedia.caad. |
If enabled |
.data[].malware |
malware.attribute | Malware Identifier | .data[].first_seen | win.qakbot |
If enabled |
.data[].malware_samples[].md5_hash |
indicator.value | MD5 | .data[].malware_samples[]. time_stamp |
n/a | If enabled |
.data[].malware_samples[].sha256_hash |
indicator.value | SHA-256 | .data[].malware_samples[]. time_stamp |
n/a | If enabled |
.data[].first_seen |
indicator.attribute | First Seen | .data[].first_seen | 2022-12-07 18:58:08 UTC |
If enabled |
.data[].last_seen |
indicator.attribute | Last Seen | .data[].first_seen | n/a | If enabled |
.data[].reporter |
indicator.attribute | Reporter | .data[].first_seen | Cryptolaemus1 |
If enabled |
.data[].reference |
indicator.attribute | External Reference | .data[].first_seen | n/a | If enabled |
.data[].confidence_level |
indicator.attribute | Confidence Level | .data[].first_seen | 100 |
If enabled |
.data[].threat_type_description |
indicator.attribute | Threat Type Description | .data[].first_seen | Indicator that identifies a malware distribution server (payload delivery) |
If enabled |
.data[].threat_type |
indicator.attribute | Threat Type | .data[].first_seen | payload_delivery |
If enabled |
.data[].ioc |
indicator.attribute | n/a | .data[].first_seen | n/a | n/a |
.data[].tags |
Indicator.tag | N/A | .data[].first_seen | ['BB09', 'QakBot', 'qbot', 'Quakbot', 'TR', 'U12', 'vhd', 'zip'] |
If enabled |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 4 |
| Indicator Attributes | 25 |
| Malware | 3 |
| Malware Attributes | 11 |
Use Case Example
- A Threat Analyst identifies a collection of supported objects they would like to enrich.
- The Threat Analyst adds the abuse.ch ThreatFox Action to a workflow.
- The Threat Analyst configures the action with the desired parameters and enables the workflow.
- The workflow executes all actions in the graph, including the abuse.ch ThreatFox action.
- The action returns the documented objects from the provider, ingesting them into the ThreatQ platform.
Change Log
- Version 1.0.2
- Added support for authenticating with the API.
- Added the option to to enable SSL certificate verification and/or disable proxies.
- Resolved timstamp parsing issues.
- Version 1.0.1
- The action is now capable of parsing the entire data from the response.
- Updated action standards.
- Updated minimum ThreatQ version to 5.14.1.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| abuse.ch ThreatFox Action Guide v1.0.2 | 5.14.1 or Greater |
| abuse.ch ThreatFox Action Guide v1.0.1 | 5.14.1 or Greater |
| abuse.ch ThreatFox Action Guide v1.0.0 | 5.6 or Greater |