Maldatabase CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.21.2 |
| Support Tier | ThreatQ Supported |
Introduction
Maldatabase is designed to help malware data science and threat intelligence feeds.
They collect a lot of samples reported by sandboxes and malware analysis services. Among all this data they can find both malicious software and legitimate software. For both types of data they have interesting information such as contacted domains, files written in the system or processes executed by malware sample.
They provide this data as datasets, useful for big data in graphical network visualization and machine learning. In the same way, this data can be used by companies and researchers as a threat intelligence feed.
The ThreatQ Maldatabase CDF Integration brings in all this data and all context around it.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description API Token Your Maldatabase API Key. See the Known Issues and Limitations chapter for details regarding the default status of objects ingested by the feed.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Maldatabase Feed
Maldatabase provides an API that users can use to extract data in JSON format.
Sample Response:
{
"sha256":"e89bc6077a352481aab03dee0d93b1c55f6f866775d67fc70e2026ef1a3be44e",
"threat_level":"2",
"md5":"db696e2837ec60504d5f94fc3df7dcc9",
"sha1":"61c65d46eb23d8064692865f80e02f1b3bdac245",
"family":"",
"size":"145763",
"type":"Word document",
"domains":[
"aesculapius.000webhostapp.com",
"us-east-1.route-1.000webhost.awex.io",
"block.io"
],
"processes":[
"winword.exe",
"svchst.exe"
],
"files":[
"svchst.exe",
"skinsoft.visualstyler.dll",
"newtonsoft.json.dll",
"encryptedfilelist.txt",
"gdipfontcachev1.dat"
]
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .rss.channel.item[].sha256 | indicator.value | SHA-256 | e89bc6077a352481aab03dee0d93b1c 55f6f866775d67fc70e2026ef1a3be44e |
Has attributes: Threat Level, Malware Family, Size, File Type. Related to mapped indicator types: SHA-1, MD5, Filename. |
| .rss.channel.item[].threat_level | indicator.attribute | Threat Level | 2 | |
| .rss.channel.item[].md5 | indicator.value | MD5 | db696e2837ec60504d5f94fc3df7dcc9 | Has attributes: Threat Level, Malware Family, Size, File Type. Related to mapped indicator types: SHA-1, SHA-256, Filename. |
| .rss.channel.item[].sha1 | indicator.value | SHA-1 | 61c65d46eb23d8064692865f80e02f1b 3bdac245 |
Has attributes: Threat Level, Malware Family, Size, File Type. Related to mapped indicator types: SHA-256, MD5, Filename. |
| .rss.channel.item[].family | indicator.attribute | Malware Family | ||
| .rss.channel.item[].size | indicator.attribute | Size | 145763 | |
| .rss.channel.item[].type | indicator.attribute | File Type | Word document | |
| .rss.channel.item[].files | indicator.value | Filename | svchst.exe | Has attributes: Threat Level, Malware Family, Size, File Type. Related to mapped indicator types: SHA-256, SHA-1, MD5. |
| .rss.channel.item[].domains | indicator.value | FQDN | us-east-1.route-1.000webhost.awex.io | Has attributes: Threat Level, Malware Family. |
Known Issues / Limitations
- The feed has a default status of Review, which you can change to Active. However, file- names and domains will still be ingested with a Review status in order to avoid marking non-malicious entities as malicious.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Maldatabase Feed CDF v1.0.0 | 4.21.2 or Greater |