Current ThreatQ Version Filter
Zvelo CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.0 |
| Compatible with ThreatQ Versions | >= 4.27.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Zvelo CDF provides contextual datasets, premium phishing and malicious threat intelligence.
The integration provides the following feeds:
- Zvelo PhishBlocklist - ingests phishing threats from Zvelo that are enriched with additional metadata attributes.
- Zvelo Malicious Detailed Detection - ingests malicious threat intelligence data from Zvelo that is enriched with additional metadata attributes.
- Zvelo Threats - ingests malicious IoCs from Zvelo, that are enriched with additional metadata attributes.
The integration ingests the following system objects:
- Indicators
- Indicator Attributes
Prerequisites
The Zvelo CDF requires the following:
- Zvelo API Client ID
- Zvelo Client Secret
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Client ID Your Zvelo API Client ID to authenticate. Client Secret Your Zvelo API Client Secret to authenticate. Status Filter the results based on the status of the indicator. Options include: - All (default)
- Active
- Inactive
Confidence The minimum value of the confidence for which an indicator will be ingested. The default value for this parameter is 0. Update Indicator Status Select whether to update the status of the indicator with the Zvelo status. This parameter is disabled by default. See the Known Issues section for further details on this parameter option.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
Zvelo PhishBlocklist
The Zvelo PhishBlocklist feed ingests phishing threats from Zvelo, that are enriched with additional metadata attributes.
GET https://api.zvelo.io/v1/phish
{
"_meta": {
"version": "1",
"request_id": "2RHnGMyFWZJla85CRRigTAxdvMb",
"generated_at": "2023-06-16T11:42:57.666041272Z",
"requested_query": ""
},
"_response_part": {
"page_no": 1,
"num_pages": 2
},
"phish_info": {
"phish": [
{
"ip_info": [
{
"ip": "2606:4700::6812:375"
},
{
"ip": "104.18.3.117"
}
],
"url": "http://uspssitechange.com/",
"discovered_date": "2023-06-16T11:12:49Z",
"brand": "usps",
"confidence_level": 80,
"last_active_date": "2023-06-16T11:12:49Z",
"status": "inactive",
"last_verified_date": "2023-06-16T11:38:47.625155Z"
}
]
}
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .phish_info.phish[].url | Indicator.Value | URL | .phish_info.phish[]. discovered_date |
http://uspssitechange.com/ | N/A |
| .phish_info.phish[].ip_info[].ip | Related Indicator.Value | IP Address / IPv6 Address | .phish_info.phish[]. discovered_date |
104.18.3.117 | N/A |
| .phish_info.phish[].brand | Indicator.Attribute, Related Indicator.Attribute | Brand | .phish_info.phish[]. discovered_date |
usps | N/A |
| .phish_info.phish[]. confidence_level |
Indicator.Attribute, Related Indicator.Attribute | Confidence Level | .phish_info.phish[]. discovered_date |
80 | N/A |
| .phish_info.phish[]. last_active_date |
Indicator.Attribute, Related Indicator.Attribute | Last Active Date | .phish_info.phish[]. discovered_date |
2023-06-16T11:12:49Z | The attribute value is updated at ingestion |
| .phish_info.phish[]. last_verified_date |
Indicator.Attribute, Related Indicator.Attribute | Last Verified Date | .phish_info.phish[]. discovered_date |
2023-06-16T11:38:47.625155Z | The attribute value is updated at ingestion |
Zvelo Malicious Detailed Detection
The Zvelo Malicious Detailed Detection feed ingests malicious threat intelligence data from Zvelo, that is enriched with additional metadata attributes.
GET https://api.zvelo.io/v1/malicious
{
"_meta": {
"version": "1",
"request_id": "2RQLffZwjb3WIPVmNUlhWecTHue",
"generated_at": "2023-06-19T12:24:22.717062214Z",
"requested_query": ""
},
"_response_part": {
"page_no": 0,
"num_pages": 1
},
"malicious_info": {
"malicious": [
{
"ip_info": [
{
"ip": "117.213.42.81"
}
],
"url": "http://117.213.42.81/Mozi.m/",
"discovered_date": "2023-06-19T11:40:28Z",
"confidence_level": 100,
"last_active_date": "2023-06-19T11:40:28Z",
"status": "active",
"last_verified_date": "2023-06-19T11:40:28.558398Z"
}
]
}
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .phish_info.phish[].url | Indicator.Value | URL | .phish_info.phish[]. discovered_date |
http://uspssitechange.com/ | N/A |
| .phish_info.phish[].ip_info[].ip | Related Indicator.Value | IP Address / IPv6 Address | .phish_info.phish[]. discovered_date |
104.18.3.117 | N/A |
| .phish_info.phish[].brand | Indicator.Attribute, Related Indicator.Attribute | Brand | .phish_info.phish[]. discovered_date |
usps | N/A |
| .phish_info.phish[]. confidence_level |
Indicator.Attribute, Related Indicator.Attribute | Confidence Level | .phish_info.phish[]. discovered_date |
80 | N/A |
| .phish_info.phish[]. last_active_date |
Indicator.Attribute, Related Indicator.Attribute | Last Active Date | .phish_info.phish[]. discovered_date |
2023-06-16T11:12:49Z | The attribute value is updated at ingestion |
| .phish_info.phish[]. last_verified_date |
Indicator.Attribute, Related Indicator.Attribute | Last Verified Date | .phish_info.phish[]. discovered_date |
2023-06-16T11:38:47.625155Z | The attribute value is updated at ingestion |
Zvelo Threats
The Zvelo Threats feed ingests threats (IOCs) from Zvelo's API. These IOCs may be phishing URLs, C2 servers, or other types of threats.
GET https://api.zvelo.io/v1/threat
{ "_meta": { "version": "1", "request_id": "2VGItRIlDpUxCicOiWhCCXxGZD1", "generated_at": "2023-09-11T18:16:44.427844289Z", "requested_query": "" }, "_response_part": { "page_no": 0, "num_pages": 1 }, "threat_info": { "threat": [ { "id": "bb5793b2-25dd-436b-b3b8-9c87836da1c7", "ioc": "39.105.50.248:443", "ioc_type": "ip", "threat_type": "command and control", "malware_family": "covenant", "ip_info": [ { "ip": "39.105.50.248" } ], "discovered_date": "2022-08-04T09:02:19Z", "confidence_level": 100, "last_active_date": "2023-09-11T05:07:24Z", "status": "active", "last_verified_date": "2023-09-11T05:07:24Z", "updated_at": "2023-09-11T05:08:57.248228Z", "action": "u" } ] } }
ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| .ioc | Indicator.Value | Based on .ioc_type value |
.discovered_date | 39.105.50.248 |
N/A |
| .ip_info[].ip | Related Indicator.Value | IP Address / IPv6 Address | .discovered_date | N/A | N/A |
| .malware_family | Indicator.Attribute, Related Indicator.Attribute | Malware Family | .discovered_date | covenant |
N/A |
| .confidence | Indicator.Attribute, Related Indicator.Attribute | Confidence | .discovered_date | 100 |
N/A |
| .threat_type | Indicator.Attribute, Related Indicator.Attribute | Threat Type | .discovered_date | command and control |
N/A |
| .last_active_date | Indicator.Attribute, Related Indicator.Attribute | Last Active Date | .discovered_date | 2023-09-11T05:07:24Z | The attribute value is updated at ingestion |
| .last_verified_date | Indicator.Attribute, Related Indicator.Attribute | Last Verified Date | .discovered_date | 2023-09-11T05:07:24Z | The attribute value is updated at ingestion |
| .updated_at | Indicator.Attribute, Related Indicator.Attribute | Updated At | .discovered_date | 2023-09-11T05:08:57.248228Z | The attribute value is updated at ingestion |
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
Zvelo PhishBlocklist
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 170 |
| Indicator Attributes | 1,019 |
Zvelo Malicious Detailed Detection
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 87 |
| Indicator Attributes | 409 |
Zvelo Threats
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 873 |
| Indicator Attributes | 6,499 |
Known Issues / Limitations
- The Run Frequency should be set to Hourly as the Zvelo API limits the time range to an hour.
- In order for the Status of the Indicator to be updated, confirm that the Active status is not protected from feed override. This can be set from the Object Management page on your ThreatQ instance.
Change Log
- Version 1.1.0
- Added new feed: Zvelo Threats.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Zvelo CDF Guide v1.1.0 | 4.27 or Greater |
| Zvelo CDF Guide v1.0.0 | 4.27 or Greater |