Pulsedive Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.34.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Pulsedive operation enriches Indicators (of type FQDN, IP Address, IPv6 Address, URL and CVE), Malware objects, Intrusion Sets, Adversaries, Tools, Vulnerabilities, Events and Incidents.
The operation provides the following action:
- Query - queries Pulsedive for any context it has on the given object.
The operation is compatible with the following system objects:
- Adversaries
- Events
- Indicators
- IP Address
- IPv6 Address
- FQDN
- URL
- CVE
- Malware
- Tools
- Vulnerabilities
- Incident
- Intrusion Set
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameter under the Configuration tab:
Parameter Description API Key Your Pulsedive API Key. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Query | Queries Pulsedive for any context it has on the given object. | Adversaries, Events, Indicators, Malware, Tools, Vulnerabilities, Incident, Intrusion Set | Indicators - IP Address, IPv6 Address, FQDN, URL, CVE |
The operation will utilize different endpoints based on the type of system object.
Indicators
The following endpoint is used to query Indicators (except for CVE).
GET https://pulsedive.com/api/info.php?indicator=<indicator_value>
ThreatQuotient provides the following default mapping for this endpoint:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .risk | Indicator.Attribute | Risk | high | N/A |
| .riskfactors[].description | Indicator.Attribute | Risk Factor | ['registration'] | N/A |
| .attributes.hosttype[] | Indicator.Attribute | Host Type | ['Name Server'] | N/A |
| .attributes.protocol[] | Indicator.Attribute | Protocol | ['DNS', 'FTP'] | N/A |
| .attributes.technology[] | Indicator.Attribute | Technology | ['Apache'] | N/A |
| .attributes.port[] | Indicator.Attribute | Port | ['21'] | N/A |
| .properties.geo.country | Indicator.Attribute | Country | Brazil | N/A |
| .properties.geo.countrycode | Indicator.Attribute | Country Code | BR | N/A |
| .properties.geo.org | Indicator.Attribute | Organization | Mandic | N/A |
| .properties.dns.ptr | Indicator.Value | FQDN | mail01.emidhost4.com.br | Applicable for ip, ipv6 indicators. Added with Status Indirect |
| .properties.dns.a | Indicator.Value | IP Address | 12.12.12.12 | Applicable for domain indicator. Added with Status Review |
| .properties.dns.ns[] | Indicator.Value | FQDN | ['aspx.1.google.com'] | Applicable for domain indicator. Added with Status Indirect |
| .properties.dns.mx[] | Indicator.Value | FQDN | ['aspx.1.google.com'] | Applicable for domain indicator. Added with Status Indirect |
| .properties.geo.asn | Indicator.Value | ASN | 123445 | Trimmed 'AS' if present in the value. Added with Status Review |
| .threats[].name | Indicator.Attribute | Pulsedive .threats[].category |
Pulsedive Phishing | if .threats[].category == 'vulnerability' will be ingested just as Indicator |
| .threats[].name | Indicator.Value | CVE | CVE-1999-123455 | Only if .threats[].category == 'vulnerability'. Threat with category 'vulnerability' is ingested as Related Indicator. Status is Review |
| .feeds[].name | Indicator.Attribute | Feed Name | Zeus Bad IPs | N/A |
| .feeds[].category | Indicator.Attribute | Feed Category | malware | N/A |
| .feeds[].organisation | Indicator.Attribute | Feed Organizaton | Org | N/A |
| .properties.whois.registrant country | Indicator.Attribute | Registrant Country | RO | (*) |
| .properties.whois.registrant name | Indicator.Attribute | Registrant Name | Comp | (*) |
| .properties.whois.registrant phone | Indicator.Attribute | Registrant Phone | +07124827845354 | (*) |
| .properties.whois.registrant organization | Indicator.Attribute | Registrant Organization | Org.net | (*) |
| .properties.whois.registrant postal code | Indicator.Attribute | Registrant Postal Code | 402342 | (*) |
| .properties.whois.registrant state/province | Indicator.Attribute | Registrant State/Province | CA | (*) |
| .properties.whois.registrant street | Indicator.Attribute | Registrant Street | HighLvl N1 | (*) |
| .properties.whois.registrant email | Indicator.Attribute | Registrant Email | dsefd@comp.org | (*) |
* All .properties.whois.registrant <name> apply in case the API request was made for an FQDN or URL indicator type
Pulsedive to ThreatQ Indicator Mapping
| Feed Data Path | ThreatQ Entity |
|---|---|
| domain | FQDN |
| ip | IPv4 Address |
| ipv6 | IPv6 Address |
| ulr | URL |
| vulnerability | CVE |
Related Indicators
The following endpoint is used to query Related Indicators.
GET https://pulse- dive.com/api/info.php?<indicator=ndicator_value>&get=links
ThreatQuotient provides the following default mapping for this endpoint:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .Redirects[].indicator | Indicator.Value | .Redirects[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
alvoportas.com.br | (**) |
| .SSL Certificate Domains[].indicator | Indicator.Value | .SSL Certificate Domains[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
accessa.com.br | (**) |
| .Reverse DNS[].indicator | Indicator.Value | .Reverse DNS[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
mail01.emidhost4.com.br | (**) |
| .Active DNS[].indicator | Indicator.Value | .Active DNS[].indicator.type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
alvoportas.com.br | (**) |
| .Mail Server[].indicator | Indicator.Value | .Mail Server[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
mail01.emidhost4.com.br | (**) |
| .Sources[].indicator | Indicator.Value | .Sources[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
mail01.emidhost4.com.br | (**) |
| .Related URLs[].indicator | Indicator.Value | .Related URLs[].type mapped to Pulsedive Indicator Types Mapping.Pulsedive Type |
http://pulsedive.com | (**) |
** Indicators types are created based on the .type mapped using the Pulsedive Indicator Types Mapping. FQDN indicators are ingested with Indirect status while the rest are ingested with Review.
Other Objects & CVE Indicators
The following endpoint is used to query all other object types and CVE Indicators.
GET https://pulse- dive.com/api/info.php?threat=<object_value>
ThreatQuotient provides the following default mapping for this endpoint:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| threat.risk | Object.Attribute | Risk | low | N/A |
| .threatq.stamp_added | Object Attribute | Linked At | 1999-20-20 12:12:12 | N/A |
| .threat.wikisummary + .threat.descripton | Object.Description | some desc | The concatenated value of the two keys is appended to the object description with the header as 'Pulsedive Wiki Summary' | |
| .threat.news[].link | Object.Attribute | News Link | http://newslnk.com | N/A |
| .threat.news[].title | Object.Attribute | News Title | Malwarebytes Labs | N/A |
| .wikireference | Object Attribute | Reference | Reference Data | N/A |
Object from above table refers to current ThreatQ Object this Operation runs on. All available objects are defined in the above 'Applies To'
Related Indicators of an Object
The following endpoint is used to query Related Indicators of an Object.
GET https://pulsedive.com/api/info.php?threat= &get=links
ThreatQuotient provides the following default mapping for this endpoint:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Examples | Notes |
|---|---|---|---|---|
| .results[].indicator | Indicator.Value | .results[].type | zeus | (*) |
* All .properties.whois.registrant <name> apply in case the API request was made for an FQDN or URL indicator type
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Pulsedive Operation Guide v1.0.0 | 4.34.0 or Greater |