Current ThreatQ Version Filter
Team Cymru Recon Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.35.1 |
| Support Tier | ThreatQ Supported |
Introduction
The Team Cymru Recon operation ingests FQDN and IP Addresses from the Team Cymru Recon platform.
You can run the Team Cymru Recon CDF companion integration to get further details on the objects ingested with this operation.
The operation provides the following action:
- Enrich - submits a given FQDN or IP Address value.
The operation is compatible with FQDN and IP Address type Indicators.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Hostname The Hostname of the Team Cymru Recon instance. API Key Your Team Cymru Recon API key. Search Time The date by which the search should start. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Enrich | Submits a given FQDN or IP Address value. | Indicators | FQDN, IP Address |
Enrich
The Enrich action creates a Team Cymru Recon Search Query for a given FQDN or IP Address.
POST https://augury5.cymru.com/api/jobs
Sample Response:
{
"job id 1593569": {
"job": {
"user_id": 46605,
"created_at": "2021-05-25 07:28:08",
"priority": 100,
"updated_at": "2021-05-25 07:28:08",
"name": "google.com",
"description": "FQDN Seach: google.com",
"id": 1593569
},
"queries": [
{
"query_type": "banners_ptr",
"end_date": "2021-05-25T07:28:06.999999+00:00",
"format": "json",
"any_cidr": [],
"ptr": [
"google.com"
],
"timeout": 14400,
"any_cc": [],
"exclude_ip_addr": [],
"any_ip_addr": [],
"exclude_ptr": [],
"cidr": [],
"exclude_cc": [],
"ip_addr": [],
"exclude_any_ip_addr": [],
"cc": [],
"exclude_any_cc": [],
"start_date": "2020-05-25T07:28:06+00:00",
"limit": 2000000,
"id": 14218595
},
{
"exclude_class": [],
"class": [],
"qname": [
"google.com"
],
"format": "json",
"timeout": 14400,
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_proto": [],
"any_ip_addr": [],
"exclude_src_ip_addr": [],
"query_type": "dns_query",
"any_cidr": [],
"exclude_qname": [],
"src_ip_addr": [],
"start_date": "2020-05-25T07:28:06+00:00",
"id": 14218596,
"dst_cidr": [],
"proto": [],
"dst_ip_addr": [],
"limit": 2000000,
"type": [],
"exclude_dst_ip_addr": [],
"exclude_type": [],
"src_cidr": [],
"exclude_any_ip_addr": []
},
{
"dnsrr": [
"google.com"
],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"format": "json",
"any_cidr": [],
"limit": 2000000,
"timeout": 14400,
"any_cc": [],
"exclude_ip_addr": [],
"any_ip_addr": [],
"query_type": "nmap_dnsrr",
"cidr": [],
"exclude_cc": [],
"ip_addr": [],
"exclude_any_ip_addr": [],
"cc": [],
"exclude_any_cc": [],
"start_date": "2020-05-25T07:28:06+00:00",
"exclude_dnsrr": [],
"id": 14218597
},
{
"exclude_ttl_range": [],
"exclude_class": [],
"qname": [
"google.com"
],
"format": "json",
"timeout": 14400,
"ttl_range": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_rdata": [],
"exclude_proto": [],
"any_ip_addr": [],
"exclude_src_ip_addr": [],
"query_type": "pdns",
"any_cidr": [],
"rdata_cidr": [],
"src_ip_addr": [],
"section": [],
"exclude_type": [],
"exclude_ttl": [],
"id": 14218598,
"limit": 2000000,
"class": [],
"ttl": [],
"exclude_qname": [],
"type": [],
"exclude_any_ip_addr": [],
"rdata": [],
"start_date": "2020-05-25T07:28:06+00:00",
"proto": [],
"src_cidr": [],
"exclude_section": []
},
{
"exclude_class": [],
"exclude_any_port": [],
"qname": [
"google.com"
],
"format": "json",
"timeout": 14400,
"dst_port": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_proto": [],
"any_ip_addr": [],
"exclude_src_ip_addr": [],
"query_type": "pdns_nxd",
"any_cidr": [],
"exclude_any_port_range": [],
"exclude_qname": [],
"src_ip_addr": [],
"exclude_type": [],
"any_port_range": [],
"type": [],
"id": 14218599,
"dst_cidr": [],
"exclude_dst_port": [],
"exclude_zone": [],
"limit": 2000000,
"class": [],
"dst_ip_addr": [],
"any_port": [],
"proto": [],
"exclude_dst_port_range": [],
"exclude_dst_ip_addr": [],
"start_date": "2020-05-25T07:28:06+00:00",
"dst_port_range": [],
"zone": [],
"src_cidr": [],
"exclude_any_ip_addr": []
},
{
"exclude_ttl_range": [],
"rdata": [
"google.com"
],
"section": [],
"qname": [],
"format": "json",
"timeout": 14400,
"any_hostname": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_rdata": [],
"exclude_class": [],
"any_ip_addr": [],
"exclude_proto": [],
"query_type": "pdns_other",
"any_cidr": [],
"exclude_qname": [],
"src_ip_addr": [],
"id": 14218600,
"start_date": "2020-05-25T07:28:06+00:00",
"exclude_src_ip_addr": [],
"exclude_ttl": [],
"exclude_any_hostname": [],
"limit": 2000000,
"class": [],
"proto": [],
"type": [],
"exclude_any_ip_addr": [],
"exclude_type": [],
"exclude_section": [],
"ttl_range": [],
"src_cidr": [],
"ttl": []
},
{
"dnsrr": [
"google.com"
],
"format": "json",
"any_cidr": [],
"ttl": [],
"timeout": 14400,
"ttl_range": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_ip_addr": [],
"exclude_dnsrr": [],
"query_type": "apt_dns",
"cidr": [],
"type": [],
"ip_addr": [],
"any_ip_addr": [],
"id": 14218601,
"exclude_ttl_range": [],
"start_date": "2020-05-25T07:28:06+00:00",
"limit": 2000000,
"exclude_ttl": [],
"exclude_type": [],
"exclude_any_ip_addr": []
},
{
"query_type": "apt_dnsrr",
"dnsrr": [
"google.com"
],
"format": "json",
"timeout": 14400,
"limit": 2000000,
"start_date": "2020-05-25T07:28:06+00:00",
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_dnsrr": [],
"id": 14218602
},
{
"query_type": "apt_hostname",
"exclude_hostname": [],
"format": "json",
"timeout": 14400,
"limit": 2000000,
"start_date": "2020-05-25T07:28:06+00:00",
"end_date": "2021-05-25T07:28:06.999999+00:00",
"hostname": [
"google.com"
],
"id": 14218603
},
{
"target_cidr": [],
"target_ip_addr": [],
"exclude_controller_port": [],
"any_port": [],
"format": "json",
"exclude_controller_port_range": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_target_hostname": [],
"any_ip_addr": [],
"exclude_target_ip_addr": [],
"query_type": "ddos_attacks",
"any_cidr": [],
"exclude_any_port_range": [],
"command": [],
"controller": [],
"exclude_controller": [],
"controller_port": [],
"subtarget": [],
"subfamily": [],
"any_port_range": [],
"id": 14218604,
"exclude_command": [],
"exclude_subfamily": [],
"exclude_subtarget": [],
"family": [],
"limit": 2000000,
"controller_ip_addr": [],
"exclude_any_port": [],
"controller_cidr": [],
"timeout": 14400,
"exclude_controller_ip_addr": [],
"exclude_any_ip_addr": [],
"exclude_family": [],
"controller_port_range": [],
"start_date": "2020-05-25T07:28:06+00:00",
"target_hostname": [
"google.com"
]
},
{
"target_cidr": [],
"target_ip_addr": [],
"exclude_controller_port": [],
"format": "json",
"exclude_controller_port_range": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_controller_type": [],
"exclude_attack_command": [],
"any_ip_addr": [],
"exclude_target_ip_addr": [],
"query_type": "ddos_commands",
"any_cidr": [],
"exclude_any_port_range": [],
"subtarget": [],
"target_hostname": [
"google.com"
],
"exclude_controller": [],
"controller_port": [],
"exclude_subtarget": [],
"any_port_range": [],
"id": 14218605,
"limit": 2000000,
"controller_ip_addr": [],
"exclude_any_port": [],
"any_port": [],
"attack_command": [],
"exclude_any_ip_addr": [],
"exclude_controller_ip_addr": [],
"controller_cidr": [],
"controller": [],
"timeout": 14400,
"controller_type": [],
"start_date": "2020-05-25T07:28:06+00:00",
"exclude_target_hostname": [],
"controller_port_range": []
},
{
"port_range": [],
"port": [],
"format": "json",
"exclude_port": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_ip_addr": [],
"any_ip_addr": [],
"exclude_proto": [],
"query_type": "bars_controllers",
"any_cidr": [],
"exclude_any_port_range": [],
"ip_addr": [],
"start_date": "2020-05-25T07:28:06+00:00",
"subfamily": [],
"any_port_range": [],
"exclude_port_range": [],
"id": 14218606,
"exclude_subfamily": [],
"controller_uri": [],
"family": [],
"cidr": [],
"limit": 2000000,
"exclude_any_port": [],
"exclude_family": [],
"any_port": [],
"exclude_hostname": [],
"proto": [],
"type": [],
"exclude_any_ip_addr": [],
"timeout": 14400,
"exclude_type_bars": null,
"exclude_type": [],
"type_bars": null,
"hostname": [
"google.com"
],
"exclude_controller_uri": []
},
{
"query_type": "dns_derived_domains_via_domain",
"query_domain": null,
"timeout": 14400,
"limit": 2000000,
"start_date": "2020-05-25T07:28:06+00:00",
"any_hostname": [
"google.com"
],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"format": "json",
"id": 14218607
},
{
"query_type": "dns_derived_ips_via_domain",
"query_domain": null,
"timeout": 14400,
"limit": 2000000,
"start_date": "2020-05-25T07:28:06+00:00",
"any_hostname": [
"google.com"
],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"format": "json",
"id": 14218608
},
{
"issuer": [],
"cn": [],
"format": "json",
"altnames": [],
"exclude_port": [],
"exclude_md5": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"exclude_ip_addr": [],
"any_ip_addr": [],
"query_type": "x509",
"any_cidr": [],
"exclude_any_port_range": [],
"ip_addr": [],
"o": [],
"issuer_o": [],
"port": [],
"version": [],
"exclude_sig_algo": [],
"exclude_issuer_cn": [],
"id": 14218609,
"exclude_hostname": [],
"c": [],
"exclude_issuer_c": [],
"limit": 2000000,
"exclude_any_port": [],
"timeout": 14400,
"cidr": [],
"exclude_any_ip_addr": [],
"issuer_cn": [],
"start_date": "2020-05-25T07:28:06+00:00",
"hostname": [
"google.com"
],
"issuer_c": [],
"port_range": [],
"exclude_serial": [],
"exclude_issuer_o": [],
"sig_algo": [],
"exclude_cn": [],
"exclude_c": [],
"exclude_version": [],
"serial": [],
"exclude_x509_md5": null,
"md5": [],
"exclude_sha1": [],
"exclude_altnames": [],
"any_port_range": [],
"exclude_subject": [],
"exclude_port_range": [],
"exclude_issuer": [],
"exclude_email": [],
"email": [],
"x509_md5": null,
"any_port": [],
"exclude_x509_sha1": null,
"x509_sha1": null,
"exclude_o": [],
"subject": [],
"sha1": []
},
{
"exclude_message_id": [],
"message_id": [],
"format": "json",
"limit": 2000000,
"timeout": 14400,
"exclude_fqdn_regex": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"query_type": "spam_domains",
"exclude_fqdn": [],
"message_id_regex": [],
"fqdn_regex": [],
"start_date": "2020-05-25T07:28:06+00:00",
"exclude_message_id_regex": [],
"fqdn": [
"google.com"
],
"id": 14218610
},
{
"exclude_any_port": [],
"format": "json",
"timeout": 14400,
"dst_port": [],
"end_date": "2021-05-25T07:28:06.999999+00:00",
"any_ip_addr": [],
"exclude_src_ip_addr": [],
"query_type": "urls",
"any_cidr": [],
"exclude_any_port_range": [],
"src_ip_addr": [],
"any_port_range": [],
"id": 14218611,
"dst_cidr": [],
"exclude_dst_port": [],
"url": [
"google.com"
],
"src_port": [],
"limit": 2000000,
"src_port_range": [],
"dst_ip_addr": [],
"any_port": [],
"exclude_dst_port_range": [],
"exclude_dst_ip_addr": [],
"exclude_src_port_range": [],
"dst_port_range": [],
"exclude_url": [],
"start_date": "2020-05-25T07:28:06+00:00",
"exclude_src_port": [],
"src_cidr": [],
"exclude_any_ip_addr": []
}
]
}
}
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Team Cymru Recon Operation Guide v1.0.0 | 4.35.1 or Greater |