3. Query Threat Response¶
3.1. Get Verdicts for an Observable¶
3.1.1. Extract Observables¶
Note
This step can be skipped if the observable type is known and can be mapped to the supported observables so you can build your own payload.
Extract observables using:
POST /iroh/iroh-inspect/inspect
3.1.2. Extract Observables API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-inspect/inspect HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
{
"content": "cisco.com"
}
JSON Response:
[
{
"value": "cisco.com",
"type": "domain"
}
]
3.1.3. Deliberate Observables¶
Pass the returned array to:
POST /iroh/iroh-enrich/deliberate/observables
3.1.4. Deliberate Observables API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-enrich/deliberate/observables HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
[
{
"value": "cisco.com",
"type": "domain"
}
]
JSON Response:
{
"data": [
{
"module": "Talos Intelligence",
"module-type": "SenderBaseInvestigateModule",
"data": {
"verdicts": {
"count": 1,
"docs": [
{
"type": "verdict",
"disposition": 1,
"observable": {
"value": "cisco.com",
"type": "domain"
},
"disposition_name": "Clean",
"valid_time": {
"start_time": "2020-04-28T21:55:32.572Z",
"end_time": "2020-05-28T21:55:32.572Z"
}
}
]
}
}
},
{
"module": "AMP File Reputation",
"module-type": "POKEDeliberateModule",
"data": {
"verdicts": {
"count": 0,
"docs": []
}
}
}
]
}
JQ Filters for commonly used values:
.data[].module.data[].data.verdicts.docs[].observable.value.data[].data.verdicts.docs[].dispositionor.data[].data.verdicts.docs[].disposition_name
Note
Disposition mapping: {1 “Clean”, 2 “Malicious”, 3 “Suspicious”, 4 “Common”, 5 “Unknown”}
JQ Filters for occasionally used values:
.data[].data.verdicts.docs[].valid_time.start_time.data[].data.verdicts.docs[].valid_time.end_time
Entities that may be returned:
3.1.5. Use Cases¶
- There are a high number of observables
- Only verdicts are desired
- To reduce the number of observables
- The goal is to indicate which items merit looking into further
3.2. Contextualize an Observable¶
3.2.1. Extract Observables¶
Note
This step can be skipped if the observable type is known and can be mapped to the supported observables so you can build your own payload.
Extract observables using:
POST /iroh/iroh-inspect/inspect
3.2.2. Extract Observables API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-inspect/inspect HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
{
"content": "cisco.com"
}
JSON Response:
[
{
"value": "cisco.com",
"type": "domain"
}
]
3.2.4. Observe Observables API Example¶
API Endpoint Definition:
http
POST https://visibility.amp.cisco.com/iroh/iroh-enrich/observe/observables HTTP/1.1
Authorization: Bearer ${jwt}
Content-Type: application/json
[
{
"value": "cisco.com",
"type": "domain"
}
]
JSON Response:
{
"data": [
{
"module": "Talos Intelligence",
"module-type": "SenderBaseInvestigateModule",
"data": {
"verdicts": {
"count": 1,
"docs": [
{
"type": "verdict",
"disposition": 1,
"observable": {
"value": "cisco.com",
"type": "domain"
},
"judgement_id": "transient:f7e85f0e-2886-479c-baa4-6deb84f9bbf7",
"disposition_name": "Clean",
"valid_time": {
"start_time": "2020-04-28T21:58:56.926Z",
"end_time": "2020-05-28T21:58:56.926Z"
}
}
]
},
"judgements": {
"count": 1,
"docs": [
{
"valid_time": {
"start_time": "2020-04-28T21:58:56.926Z",
"end_time": "2020-05-28T21:58:56.926Z"
},
"schema_version": "1.0.16",
"observable": {
"value": "cisco.com",
"type": "domain"
},
"type": "judgement",
"source": "Talos Intelligence",
"disposition": 1,
"reason": "Good Talos Intelligence reputation score",
"source_uri": "https://www.talosintelligence.com/reputation_center/lookup?search=cisco.com",
"disposition_name": "Clean",
"priority": 90,
"id": "transient:f7e85f0e-2886-479c-baa4-6deb84f9bbf7",
"severity": "None",
"tlp": "white",
"confidence": "High"
}
]
}
}
}
]
}
This returns the .data[].module and other pieces of data depending on the use case.
Mapping observables to some objects (attack_patterns) requires looking at the relationships and matching the IDs.
May return any of the CTIM entities:
- Actor
- Attack Pattern
- Campaign
- Course of Action
- Feedback
- Incident
- Indicator
- Judgement
- Malware
- Relationship
- Sighting
- Tool
- Verdict
- Vulnerability
- Weakness
Most commonly used entities:
- Verdicts
- Sightings
- Indicators
- Judgements
Note
Targets are found within the Sightings entity
3.2.5. Are there targets in “my” environment?¶
Return the .data[].data.sightings.docs[]?.targets and compare returned objects and deduplicate
to get a true unique value.
The same target can be observed for multiple observables .data[].data.sightings.docs[]?.observables.
3.2.6. Use Cases¶
- Check for targets from within the returned sightings
- Contextualize an observable as it relates to the Global and Private Threat Intel
- Historical Incidents an Observable has been related to with
- Identify what Campaign(s) an Observable has been used in
- Find Indicators associated with an Observable
- Discover Observed Relations for an Observable
- URLs hosted on a Domain
- IP Addresses a Domain has resolved to
- File Names associated with a File Hash
- File Paths associated with a File Hash
- Mutexes associated with a File Hash
- URLs a File Hash was downloaded from