icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

Splunk General Terms

Splunk Websites Terms and Conditions of Use

Thank You

Downloading ThreatStream
SHA256 checksum (threatstream_361.tgz) f721e03172a5b071df0f46575b5889ef98cd4beb57ca859442aab22b67273bc6 SHA256 checksum (threatstream_360.tgz) 4cbff839aac7a3d2bcf17e1a4a8b9cabb2a29db4f9c9388eb3e39269d2723dd0 SHA256 checksum (threatstream_353.tgz) 86c8ebe8e4a301a82f3c1cb2eb96bbd54a4f807dd7a5f3c749547a7ae00db2cf SHA256 checksum (threatstream_351.tgz) 9417ea96ba81a63896286dcbbe1547f36719fca3f09e517e73801e99af016776 SHA256 checksum (threatstream_350.tgz) c2c104d5b013ee3f329db6a6072616f22b82a2e831c3b341a3acdacee9c8e187 SHA256 checksum (threatstream_344.tgz) 13330c29b8240403d3e71899e65f70d565feddd1872957f8188c3b8f075860d6 SHA256 checksum (threatstream_343.tgz) 278bb7f1198f43880a377cc55c884f3ed2c6b54e3afaee4c5d500a6d55eaba60 SHA256 checksum (threatstream_332.tgz) 110f256d9ed79add4c54016c83d36d80c9f134027982f6990b855a460ba94e7a SHA256 checksum (threatstream_328.tgz) 2bc7b373129c83951f1e6a1480b0a932d7132a44f8daf0bb78950f3661b64244 SHA256 checksum (threatstream_303.tgz) c0c43990fd7d81929f14c7c9ba17df7aaf64ca7249d6982fef7e537162fcd507

Flag As Inappropriate
soar

ThreatStream

Splunk SOAR Cloud
Splunk Built
Overview
Integrates a variety of generic, reputation, and investigative actions from the Anomali ThreatStream threat intelligence platform

Supported Actions Version 3.6.1

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.6.0

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.5.3

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.5.1

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.5.0

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.4.4

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.4.3

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • update observable: Update an observable in ThreatStream
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.3.2

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.2.8

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number
  • create investigation: Create an investigation in ThreatStream
  • list investigations: List investigations present in ThreatStream
  • get investigation: Retrieve investigation present in Threatstream by ID
  • update investigation: Update an investigation in ThreatStream
  • delete investigation: Delete investigation in ThreatStream by ID number

Supported Actions Version 3.0.3

  • test connectivity: Test connectivity to ThreatStream by querying the intelligence endpoint
  • file reputation: Get information about a file
  • domain reputation: Get information about a given domain
  • ip reputation: Get information about a given IP
  • email reputation: Get information about a given email
  • url reputation: Get information about a URL
  • whois ip: Execute a whois lookup on the given IP
  • whois domain: Execute a whois lookup on the given domain
  • get observable: Get observable present in ThreatStream by ID number
  • list observables: List observables present in ThreatStream
  • get vulnerability: Get vulnerability present in ThreatStream by ID number
  • list vulnerabilities: List vulnerabilities present in ThreatStream
  • list incidents: List incidents present in ThreatStream
  • delete incident: Delete incident in ThreatStream by ID number
  • get incident: Get incident in ThreatStream by ID number
  • create incident: Create an incident in ThreatStream
  • update incident: Update an incident in ThreatStream by ID number
  • import domain observable: Import domain observable into ThreatStream
  • import url observable: Import URL observable into ThreatStream
  • import ip observable: Import IP observable into ThreatStream
  • import file observable: Import file observable into ThreatStream
  • import email observable: Import email observable into ThreatStream
  • import observables: Import observables into ThreatStream
  • tag observable: Add a tag to the observable
  • get pcap: Download pcap file of a sample submitted to the sandbox and add it to vault
  • detonate file: Detonate file in ThreatStream
  • detonate url: Detonate URL in ThreatStream
  • get status: Retrieve detonation status present in Threatstream
  • get report: Retrieve detonation report present in Threatstream
  • on poll: Callback action for the on_poll ingest functionality
  • run query: Run observables query in ThreatStream
  • list import sessions: List all the import sessions
  • update import session: This action updates the fields of the provided item id
  • list threat models: List all the threat models
  • create threat bulletin: Create a threat bulletin in ThreatStream
  • update threat bulletin: Update a threat bulletin in ThreatStream
  • list threat bulletins: List threat bulletins present in ThreatStream
  • list associations: List associations of an entity present in ThreatStream
  • create rule: Creates a new rule in Threatstream
  • update rule: Update a rule in ThreatStream by ID number
  • list rules: List rules present in ThreatStream
  • delete rule: Delete rule in ThreatStream by ID number
  • add association: Create associations between threat model entities on the ThreatStream platform
  • remove association: Remove associations between threat model entities on the ThreatStream platform
  • list actors: List actors present in ThreatStream
  • list imports: List imports present in ThreatStream
  • create vulnerability: Create a vulnerability in ThreatStream
  • update vulnerability: Update the vulnerability in ThreatStream
  • create actor: Create an actor in ThreatStream
  • update actor: Update an actor in ThreatStream
  • delete threat bulletin: Delete threat bulletin in ThreatStream by ID
  • delete vulnerability: Delete vulnerability in ThreatStream by ID
  • delete actor: Delete actor in ThreatStream by ID number

Release Notes

Version 3.6.1
Dec. 4, 2024
  • Update dnspython version for vulnerability [PAPP-34923]
Version 3.6.0
July 16, 2024
  • Updated API Authentication [PAPP-34191]
  • Resolved dnspython module error [PAPP-34172]
Version 3.5.3
April 18, 2024
  • Removed certifi, requests and urllib3 dependencies in order to use platform packages [PAPP-31096, PAPP-30822, PAPP-33451]
Version 3.5.1
Feb. 7, 2024
  • Feature that allows custom Observable Types to be used in import observables action
    • Validation for default types has been removed
    • Action no longer has dropdown, now information about default types is visible in description
  • [PAPP-32436] Removed hardcoded vault tmp path
Version 3.5.0
Nov. 22, 2022
  • Bug fix for the Japanese domain in the 'whois domain' action [PAPP-25646]
  • Added a support for the 'search exact value' parameter to the following actions: [PAPP-26363]
    • url reputation
    • email reputation
    • domain reputation
Version 3.4.4
Feb. 5, 2022
  • Added support for Python 3.9
Version 3.4.3
Jan. 25, 2022

ThreatStream Release Notes - Published by Splunk January 21, 2022

Version 3.4.3 - Released January 21, 2022

  • Added new action 'update observable' support [PAPP-18707]
  • Added support for the 'source' parameter in the following actions: [PAPP-18144]
    • import domain observable
    • import ip observable
    • import url observable
    • import file observable
    • import email observable
  • Added support for the 'use_premium_sandbox', 'use_vmray_sandbox', 'vmray_max_jobs' and 'fields' parameters in the following actions: [PAPP-18998]
    • detonate file
    • detonate url
  • Added support for the 'allow_unresolved' parameter in the 'import url observable' action [PAPP-18699]
  • Added IPv6 support for the 'ip_address' parameter in the 'import ip observable' action
Version 3.3.2
Dec. 24, 2021

ThreatStream Release Notes - Published by Splunk December 23, 2021

Version 3.3.2 - Released December 23, 2021

  • Marked the app as FIPS Compliant [PAPP-21568]
  • Improved 'ip reputation' and 'domain reputation' actions [PAPP-19922]
  • Enabled interacting with Widget values for Investigation actions [PAPP-21485]
  • Improved usability for indicator typei [PAPP-21096]
Version 3.2.8
Nov. 29, 2021

ThreatStream Release Notes - Published by Splunk November 29, 2021

Version 3.2.8 - Released November 29, 2021

  • Added support for the 'extend_source' parameter in the following actions: [PAPP-18117]

    • url reputation
    • file reputation
    • domain reputation
    • ip reputation
    • email reputation

  • Added below mentioned new actions:

    • create investigation
    • update investigation
    • get investigation
    • delete investigation
    • list investigations

  • Added support for SHA512 in the 'file reputation' action

  • Updated default value of 'platform' parameter in the 'detonate url' and 'detonate file' actions due to change in API
Version 3.0.3
Sept. 21, 2021

ThreatStream Release Notes - Published by Splunk June 15, 2021

Version 3.0.3 - Released June 15, 2021

  • Improved compatibility changes for python 3
  • Added below mentioned new actions:
  • add association
  • remove association
  • list association
  • create vulnerability
  • update vulnerability
  • delete vulnerability
  • create actor
  • update actor
  • delete actor
  • list actors
  • create rule
  • update rule
  • delete rule
  • list rules
  • create threat bulletin
  • update threat bulletin
  • delete threat bulletin
  • list threat bulletins

  • list imports

  • Added 'allow_unresolved' parameter for the 'import observables' and 'import domain observable' actions

  • Added 'with_approval' parameter for all the importing observables related actions [PAPP-14771]
  • Added additional parameter 'publication_status' in the 'list threat models' action [PAPP-15769]
  • Fixed issue of limiting the returned results for all reputation related actions [PAPP-16026]
  • Fixed the error message issue for all the actions [PAPP-15381]
  • Fixed the library issue for the 'whois domain' action [PAPP-15260]
  • Fixed the workflow for the 'url reputation' action [PAPP-17155]
  • Updated app documentation for the latest changes
26,633
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Support
Splunk Supported File a case Flag as inappropriate
Compatibility
Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud Products: SOAR On-Prem, SOAR Cloud
SOAR Versions: 6.4, 6.3 SOAR Versions: 6.4, 6.3, 6.2 SOAR Versions: 6.4, 6.3, 6.2, 6.1 SOAR Versions: 6.4, 6.3, 6.2, 6.1 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3, 5.2, 5.1 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3, 5.2, 5.1, 5.0 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3, 5.2, 5.1, 5.0 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3, 5.2, 5.1, 5.0 SOAR Versions: 6.4, 6.3, 6.2, 6.1, 6.0, 5.5, 5.4, 5.3, 5.2, 5.1, 5.0, 4.10, 4.9
Licensing
Splunk General Terms
Category & Contents
Categories: Threat Intel
App Type: Connector
Source Code: GitHub
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2025 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.