SlashNext Intel CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.1 |
| Compatible with ThreatQ Versions | >= 4.17.1 |
| Support Tier | ThreatQ Supported |
Introduction
The SlashNext for ThreatQ integration allows a user to ingest active zero-hour phishing IOCs from the following three feeds published by SlashNext Intel:
- SlashNext Intel - Phishing IPs
- SlashNext Intel - Phishing FQDNs
- SlashNext Intel - Phishing Wildcard URLs
The integration ingests the following system objects:
- Indicators
- Indicator Attributes
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description SlashNext Threat Intel API Key The system uses this API key to authenticate with SlashNext Cloud. If you don’t have a valid API key, you can reach out to support@slashnext.com. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
SlashNext Intel - Phishing IPs
GET https://intel.slashnext.cloud/api/feed/ips
Sample Response:
[
{
"hostip": "52.160.67.152/32",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 16:09:12 UTC",
"last_seen": "08-04-2020 16:09:12 UTC"
},
{
"hostip": "111.90.144.15/32",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 14:38:47 UTC",
"last_seen": "08-04-2020 14:38:47 UTC"
},
{
"hostip": "191.232.191.232/32",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 14:28:14 UTC",
"last_seen": "08-04-2020 14:28:14 UTC"
}
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .[].hostip | Indicator.Value | IP Address | N/A | 191.232.191.232 | The netmask is dropped from the value. |
| .[].threat_name | Indicator.Attribute | Threat Name | N/A | Fake Login Page | |
| .[].threat_type | Indicator.Attribute | Threat Type | N/A | Phishing & Social Engineering | |
| .[].first_seen | Indicator.Attribute | First Seen | N/A | 08-04-2020 16:09:12 UTC | |
| .[].last_seen | Indicator.Attribute | Last Seen | N/A | 08-04-2020 16:09:12 UTC |
SlashNext Intel - Phishing FQDNs
GET https://intel.slashnext.cloud/api/feed/domains
Sample Response:
[
{
"domain": "adventury.club",
"threat_name": "Rogue Software",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 16:57:45 UTC",
"last_seen": "08-04-2020 16:57:45 UTC"
},
{
"domain": "39.vaterlines.com",
"threat_name": "Rogue Software",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 16:57:29 UTC",
"last_seen": "08-04-2020 16:57:29 UTC"
},
{
"domain": "vir.xooinc.com",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 16:57:28 UTC",
"last_seen": "08-04-2020 16:57:28 UTC"
}
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| [].domain | Indicator.Value | FQDN | N/A | gbett.addresspuma.icu | |
| .[].threat_name | Indicator.Attribute | Threat Name | N/A | Rogue Software | |
| .[].threat_type | Indicator.Attribute | Threat Type | N/A | Phishing & Social Engineering | |
| .[].first_seen | Indicator.Attribute | First Seen | N/A | 08-04-2020 16:56:29 UTC | |
| .[].last_seen | Indicator.Attribute | Last Seen | N/A | 08-04-2020 16:56:29 UTC |
SlashNext Intel - Phishing Wildcard URLs
GET https://intel.slashnext.cloud/api/feed/wildcardurls
Sample Response:
[
{
"wildcardurl": "www.wwwc568.vip/*",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 17:06:59 UTC",
"last_seen": "08-04-2020 17:06:59 UTC"
},
{
"wildcardurl": "fluride.com/*",
"threat_name": "Fake Login Page",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 17:06:54 UTC",
"last_seen": "08-04-2020 17:06:54 UTC"
},
{
"wildcardurl": "find.masters-media.net/*",
"threat_name": "Internet Scam",
"threat_type": "Phishing & Social Engineering",
"first_seen": "08-04-2020 17:06:48 UTC",
"last_seen": "08-04-2020 17:06:48 UTC"
}
]ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .[].wildcardurl | Indicator.Value | URL | N/A | secure-access-65d42fn8rocb7219.videogate.xyz/* | |
| .[].threat_name | Indicator.Attribute | Threat Name | N/A | Fake Login Page | |
| .[].threat_type | Indicator.Attribute | Threat Type | N/A | Phishing & Social Engineering | |
| .[].first_seen | Indicator.Attribute | First Seen | N/A | 08-04-2020 17:06:34 UTC | |
| .[].last_seen | Indicator.Attribute | Last Seen | N/A | 08-04-2020 17:06:34 UTC |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
SlashNext Intel - Phishing IPs
| Metric | Result |
|---|---|
| Run Time | 2 minutes |
| Indicators | 385 |
| Indicator Attributes | 1,540 |
SlashNext Intel - Phishing FQDNs
| Metric | Result |
|---|---|
| Run Time | 4 minutes |
| Indicators | 1,800 |
| Indicator Attributes | 7,200 |
SlashNext Intel - Phishing Wildcard URLs
| Metric | Result |
|---|---|
| Run Time | 3 minutes |
| Indicators | 1,800 |
| Indicator Attributes | 7,200 |
Known Issues / Limitations
- Due to the dynamic nature of the SlashNext Intel feeds, SlashNext recommends setting the feed run frequency to
Every Hour.
Change Log
- Version 1.0.1
- Update yaml with
namespacefield - Refactor yaml according to CDF Best Practices guidelines
- Update yaml with
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| SlashNext Intel CDF Guide v1.0.1 | 4.17.1 or Greater |