...
Area 1 Security offers Application Programming Interfaces (APIs) to expose our phishing campaign rulesets. These APIs both aid research and provide a set of indicators to block using network security edge devices.
Connect Area 1 Security with Devo SOAR
Navigate to Automations > Integrations.
Search for Area 1 Security.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
Username: Username to access Area 1 Security APIs.
Password: Password to access Area 1 Security APIs.
After you've entered all the details, click Connect.
Actions for Area 1 Security
List Actors
This service returns a list of Actors.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of result:
...
Code Block |
---|
## Return Indicators (Rate Limit: 10/hour) This service returns malicious indicators (file hashes, URLs, domains, and IP address) that we recommend you block at your network edge using proxy devices and firewalls. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Since | [Jinja-templated](doc:jinja-template) text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | | | End | [Jinja-templated](doc:jinja-template) text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | | | Actor | [Jinja-templated](doc:jinja-template) text containing the value of actor. Example: {{actor}} \* Killchain (Optional): [Jinja-Templated](doc:jinja-template) text containing the CSVs of the killchain. Example: {{killchain_1}},3 | | | Killchain | [Jinja-templated](doc:jinja-template) text containing the CSVs of the killchain. Example: {{killchain_1}},3 | | | Cat | [Jinja-templated](doc:jinja-template) text containing the CSVs of the cat. Example: {{cat_1}},targeted | | | Type | [Jinja-templated](doc:jinja-template) text containing the CSVs of the type. Example: {{type_1}},domain | | ### Output A JSON object containing indicator details: ``` {json}{ "has_error":false, "error":null, "threat_name": "Google Credential Harvester", "item_type": "url", "description": "https://api.area1.com/nirvana/google-credential-harvesting.html", "item_name": "www.example.com/a-bad-url/", "first_detected": 1449164991, "threat_categories": [ { "threat_type": [ "Credential Harvester", "Malicious Web Server" ], "category": [ "Universal" ], "killchain": [ "3" ], "actor": [ "CHN1" ] } ] } |
Search Indicator (Rate Limit: 4/minute)
This service can be queried with a basic indicator (file hash (MD5/SHA-1/SHA-256), URL, domain, IP Address, or email address) and returns information about the indicator.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Indicator | Jinja-templated text containing the value of indicator of interest. Example: {{indicator}} | Required |
Historic | Select value of Historic (Default is False). True/False | Optional |
Output
A JSON object containing indicator details:
...
Code Block |
---|
## List Alerts (Rate Limit: 5/hour) This service returns information of each alert that is generated through the Area 1 Security email product. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Disposition | [Jinja-templated](doc:jinja-template) text containing the CSVs of disposition (Default is malicious). Example: {{disposition}},spam | Optional | | Since | [Jinja-templated](doc:jinja-template) text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | | End | [Jinja-templated](doc:jinja-template) text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | ### Output A JSON object containing List of Alerts: ``` {json}{ "has_error":false, "error":null, "source": "area1security", "time": 1524570920, "event": { "final_disposition": "MALICIOUS", "attachments": [ { "sha1": "example", "sha256": "example", "content_type_provided": "image/jpeg", "content_type_computed": "image/jpeg", "name": "image003.jpg", "ssdeep": "example", "md5": "example" } ], "smtp_helo_server_name": "mail.example.net", "envelope_to": [ "user@example.com" ], "subject": "Potential Partnership", "smtp_helo_server_ip_as_name": "LIQUIDWEB - Liquid Web, L.L.C, US", "alert_reasons": [ "Malicious previous hop domain server 'mail.example[dot]net'", "no really, it's a very mailicious domain 'example[dot]net'" ], "encrypted_feature_count": null, "message_id": "<example@example.com.ph>", "replyto_name": null, "from_name": "Christine", "smtp_helo_server_ip": "192.168.1.184", "smtp_helo_server_ip_geo": "US/-/-", "smtp_helo_server_ip_as_number": "3232235960", "envelope_from": "christine@example.com.ph", "alert_id": "40VVylabcbz7pJj-2018-04-24T04:41:19", "replyto": "christine@example.com.ph", "from": "CEO Christine <christine@example.com.ph>", "to": [ "user@example.com" ], "ts": "2018-04-24T04:41:19Z" } } |
Email Details by Alert ID
This service returns the content of an email given an alert_id from the detection message sent from Area 1.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Alert ID | Jinja-templated text containing the value of the Alert ID. Example: {{alert_id}} | Required |
Output
A JSON object containing message content and fileId of message details:
...
Code Block |
---|
## Search Detected Emails This service returns information for each email that matches the search parameter(s). Only emails that have a detection (final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC or MALICIOUS) will be searched. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Query | [Jinja-templated](doc:jinja-template) text containing the value of the query. Example: {{query}} | Required | | Days Back | [Jinja-templated](doc:jinja-template) text containing the value of the days back (default is 7, maximum is 365). Example: 108 | Optional | | Limit | [Jinja-templated](doc:jinja-template) text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50 | Optional | **Output of Action**: A JSON object containing detected email list: ``` {json}{ "has_error":false, "error":null, "cc": null, "tracking_value_sent": "", "final_disposition": "MALICIOUS", "x_originating_ip": null, "to_name": null, "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place ", "findings": [ { "reason": "IP is a source of spam/uce : Smtp-Helo-Server-Ip='127.0.0[dot]186'", "score": null, "detection": "SPAM", "field": "smtp_helo_server_ip", "attachment": null, "portion": "SMTP", "name": "blocklist", "action": "PROMOTE", "detail": null, "diagnostic": "", "value": "127.0.0.186", "version": null } ], "sent_date": "2019-11-21T00:22:01", "detectionReasons": [ "IP is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>" ], "client_uuid": "abcdef12-3456-7890-abcd-ef1234567896", "from_name": null, "smtp_helo_server_ip": "127.0.0.186", "smtp_previous_hop_ip": "127.0.0.186", "envelope_from": "d1994@example.com", "replyto": "d1994@example.com", "from": "d1994@example.com", "to": [ "email@area1security.com" ], "client_name": "area1", "postfix_ident": "47JJcT1w6GztQV7", "ts": "2019-11-20T23:22:01" } |
Search All Emails
This service returns information for each email that matches the search parameter(s). All email can be searched, whether it registered a detection or not.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Subject | Jinja-templated text containing the value of the Subject. | |
Example: {{subject}} | Optional | |
Alert ID | Jinja-templated text containing the value of the Alert ID(only present for emails with a final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC, or MALICIOUS). | |
Example: {{alert_id}} | Optional | |
Message ID | Jinja-templated text containing the value of the full Message ID. | |
Example: {{message_id}} | Optional | |
Recipient | Jinja-templated text containing the value of the Recipient. | |
Example: {{recipient}} | Optional | |
Sender | Jinja-templated text containing the value of the Sender. | |
Example: {{sender}} | Optional | |
Since | Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). | |
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | |
End | Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). | |
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | |
Limit | Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). | |
Example: 50 | Optional |
Output
A JSON object containing email details:
{json}{ "has_error":false, "error":null, "postfix_ident_outbound": "47Jjdp3WRsz11M1D", "final_disposition": "NONE", "envelope_to": [ "rebecca@example.com" ], "subject": "[EXTERNAL] RE: Lost and found", "from": "kelsey@example.com", "message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>", "postfix_ident": "47Jjcz1H88z11M4F", "client_name": "mr. client", "ts": "2019-11-21T15:09:33" }
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
...