Current ThreatQ Version Filter
 

Symantec Threat Intelligence Operation

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Symantec Threat Intelligence operation enriches ThreatQ indicators with context obtained from the Symantec Threat Intelligence API.

The operation provides the following actions:

  • Insight
  • Protection
  • Related

The operation is compatible with IP Address, FQDN, and SHA-256 Indicator types.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Operation option from the Type dropdown (optional).
  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:
    Parameter Description
    Client ID Your Symantec Threat Intelligence Client Key. 
    Client Secret Your Symantec Threat Intelligence Client Secret.
    Automatically Add Indicators If checked, related indicators, together with their attributes, are added automatically.  If not checked, the user can select which indicators to be added (indicators added without their attributes).  This parameter only applies only to the Related action. 
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following actions:

Action Description Object Type Object Subtype
Insight Enriches ThreatQ objects Indicators  IP Address, FQDN, SHA-256
Protection Enriches ThreatQ objects Indicators  IP Address, FQDN, SHA-256
Related Enriches ThreatQ objects Indicators IP Address, FQDN, SHA-256

Insight

The Insight action enriches ThreatQ objects using the returned JSON response.

GET http://brcm-cnb-star-sia.apigee.net/v1/threat-intel/insight/file/{sha-256}

GET http://brcm-cnb-star-sia.apigee.net/v1/threat-intel/insight/network/{ip-address/fqdn}

Sample Response:

{
    "file": "eec3f761f7eabe9ed569f39e896be24c9bbb8861b15dbde1b3d539505cd9dd8d",
    "reputation": "BAD",
    "prevalence": "Hundreds",
    "firstSeen": "2020-08-27",
    "lastSeen": "2020-08-27",
    "targetOrgs": {
        "topCountries": [
            "tr",
            "de",
            "us",
            "qa",
            "ie"
        ],
        "topIndustries": [
            "wholesale",
            "manufacturing",
            "financial services",
            "retail"
        ]
    }
}

ThreatQuotient provides the following default mapping for this action:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Examples Notes
.reputation Indicator.Attribute Reputation BAD N/A
.prevalence Indicator.Attribute Prevalence Hundreds N/A
.firstSeen Indicator.Attribute First Seen 2020-08-27 N/A
.targetOrgs.topCountries[] Indicator.Attribute Country tr N/A
.targetOrgs.topIndustries[] Indicator.Attribute Industry wholesale N/A

Protection

The Protection action enriches ThreatQ objects using the returned JSON response.

GET http://brcm-cnb-star-sia.apigee.net/v1/threat-intel/protection/file/{sha-256}

GET http://brcm-cnb-star-sia.apigee.net/v1/threat-intel/protection/network/{ip-address/fqdn}

Sample Response:

{
    "network": "google.com",
    "state": [
        {
            "technology": "AntiVirus",
            "firstDefsetVersion": "2020.07.31.004",
            "threatName": "heur.advml.b"
        },
        {
            "technology": "Intrusion Prevention System",
            "firstDefsetVersion": "20150403.001",
            "threatName": "System Infected: W32.SillyFDC Activity 3"
        }
    ]
}

ThreatQuotient provides the following default mapping for this action:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Examples Notes
.state[].threatName + .state[].firstDefsetVersion Indicator.Attribute .state[].technology (eg. AntiVirus) heur.advml.b - 2020.07.31.004 N/A

Related

Enriches ThreatQ objects using the returned JSON response.

GET http://api.sep.securitycloud.symantec.com/v1/threat-intel/related/file/{sha-256}

GET http://api.sep.securitycloud.symantec.com/v1/threat-intel/related/network/{ip-address/fqdn}

Sample Response:

{
    "network": "145.249.105.165",
    "related": [
        {
            "iocType": "Network",
            "iocValues": [
                "79.142.70.106",
                "veramebel.kz",
            ],
            "relation": "byThreatActor"
        },
        {
            "iocType": "File",
            "iocValues": [
                "370b4a94d511317ad0672f030478f324abd79f2edb4d690eb41dd803a0debd36",
                "022d89f8ab9a60b38684b25a1b7f3fe2dd7d8817fad5642305ec9acc004e0eff",
            ],
            "relation": "byThreatActor"
        }
    ]
}

ThreatQuotient provides the following default mapping for this action:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Examples Notes
.related.[].iocValues[] Related Indicator.Value Parsed by using .related.[].iocType veramebel.kz Possible indicator types IP Address, FQDN, and SHA-256
.related.[].relation Related Indicator.Attribute Relation byThreatActor N/A

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
Symantec Threat Intelligence Operation Guide v1.0.0 4.34.0 or Greater