Query ThreatFox for an indicator.
To learn more about ThreatFox, see: https://threatfox.abuse.ch
This artifact can be called from within another artifact to enrich the data made available by that artifact.
Ex.
SELECT * from Artifact.Server.Enrichment.ThreatFox(AuthKey=$YOURKEY,IOC=$YOURIOC)
If querying for an MD5 or SHA256 hash, specify the IOC type, like so:
SELECT * from Artifact.Server.Enrichment.ThreatFox(AuthKey=$YOURKEY,IOCType=Hash)
name: Server.Enrichment.ThreatFox
description: |
Query ThreatFox for an indicator.
To learn more about ThreatFox, see: https://threatfox.abuse.ch
This artifact can be called from within another artifact to enrich the data made available by that artifact.
Ex.
`SELECT * from Artifact.Server.Enrichment.ThreatFox(AuthKey=$YOURKEY,IOC=$YOURIOC)`
If querying for an MD5 or SHA256 hash, specify the IOC type, like so:
`SELECT * from Artifact.Server.Enrichment.ThreatFox(AuthKey=$YOURKEY,IOCType=Hash)`
type: SERVER
parameters:
- name: AuthKey
default:
- name: IOC
default:
- name: IOCType
default:
type: choices
choices:
-
- IOC
- Hash
sources:
- query: |
LET TFURL <= "https://threatfox-api.abuse.ch/api/v1/"
LET TFIOC =
SELECT *
FROM http_client(
method="POST",
url=TFURL,
headers=dict(`Auth-Key`=AuthKey),
data=serialize(item=dict(`query`="search_ioc",`search_term`=IOC))
)
LET TFHash =
SELECT *
FROM http_client(
method="POST",
url=TFURL,
headers=dict(`Auth-Key`=AuthKey),
data=serialize(item=dict(`query`="search_hash", `hash`=IOC))
)
SELECT
parse_json(data=Content).data[0].ioc AS `IOC`,
parse_json(data=Content).data[0].malware AS `Malware`,
parse_json(data=Content).data[0].confidence_level AS `Confidence Level`,
parse_json(data=Content).data[0].threat_type AS `Threat Type`,
parse_json(data=Content).data[0].first_seen AS `First Seen`,
parse_json(data=Content).data[0].last_seen AS `Last Seen`,
parse_json(data=Content).data[0].reporter AS `Reporter`,
parse_json(data=Content).data[0].tags AS `Tags`,
parse_json(data=Content).data[0] As _Content
FROM if(condition= IOCType=~"Hash",then=TFHash,else=TFIOC)