Area 1 Security

Area 1 Security offers Application Programming Interfaces (APIs) to expose our phishing campaign rulesets. These APIs both aid research and provide a set of indicators to block using network security edge devices.

Connect Area 1 Security with Devo SOAR

Navigate to Automations > Integrations.
Search for Area 1 Security.
Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the Devo SOAR Remote Agent.
- Username: Username to access Area 1 Security APIs.
- Password: Password to access Area 1 Security APIs.
After you've entered all the details, click Connect.

Actions for Area 1 Security

List Actors

This service returns a list of Actors.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

JSON

{
	"error":null,
	"has_error":false,
	"result":"ALL_ACTOR"
}

Return Indicators (Rate Limit: 10/hour)

This service returns malicious indicators (file hashes, URLs, domains, and IP address) that we recommend you block at your network edge using proxy devices and firewalls.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Since	Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
End	Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
Actor	Jinja-templated text containing the value of actor. Example: {{actor}} Killchain (Optional): Jinja-Templated text containing the CSVs of the killchain. Example: {{killchain_1}},3
Killchain	Jinja-templated text containing the CSVs of the killchain. Example: {{killchain_1}},3
Cat	Jinja-templated text containing the CSVs of the cat. Example: {{cat_1}},targeted
Type	Jinja-templated text containing the CSVs of the type. Example: {{type_1}},domain

Output

A JSON object containing indicator details:

JSON

{
  "has_error":false,
  "error":null,
	"threat_name": "Google Credential Harvester",
	"item_type": "url",
	"description": "https://api.area1.com/nirvana/google-credential-harvesting.html",
	"item_name": "www.example.com/a-bad-url/",
	"first_detected": 1449164991,
	"threat_categories": [
		{
			"threat_type": [
				"Credential Harvester",
				"Malicious Web Server"
			],
			"category": [
				"Universal"
			],
			"killchain": [
				"3"
			],
			"actor": [
				"CHN1"
			]
		}
	]
}

Search Indicator (Rate Limit: 4/minute)

This service can be queried with a basic indicator (file hash (MD5/SHA-1/SHA-256), URL, domain, IP Address, or email address) and returns information about the indicator.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Indicator	Jinja-templated text containing the value of indicator of interest. Example: {{indicator}}	Required
Historic	Select value of Historic (Default is False). True/False	Optional

Output

A JSON object containing indicator details:

JSON

{
  "has_error":false,
  "error":null,
  "indicator": "example",
  "first_seen": 1433810886000,
  "last_seen": 1478200022000,
  "Hash_ImpHash": "eample",
  "Hash_authentihash": "example",
  "type": "Hash_SHA1",
  "Hash_ssdeep": "example",
  "disposition": "MALICIOUS",
  "tlp": "white",
  "Hash_MD5": "example_md5",
  "tag_histories": [
    {
      "intervals": [
        {
          "start": 1337347427000,
          "end": "current"
        }
      ],
      "category": "Actor",
      "value": "abc"
    },
    {
      "intervals": [
        {
          "start": 1337347427000,
          "end": "current"
        }
      ],
      "category": "ThreatType",
      "value": "Dropper"
    }
  ],
  "family": "file",
  "Hash_SHA256": "example"
}

List Alerts (Rate Limit: 5/hour)

This service returns information of each alert that is generated through the Area 1 Security email product.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Disposition	Jinja-templated text containing the CSVs of disposition (Default is malicious). Example: {{disposition}},spam	Optional
Since	Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.	Optional
End	Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.	Optional

Output

A JSON object containing List of Alerts:

JSON

Email Details by Alert ID

This service returns the content of an email given an alert_id from the detection message sent from Area 1.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Alert ID	Jinja-templated text containing the value of the Alert ID. Example: {{alert_id}}	Required

Output

A JSON object containing message content and fileId of message details:

JSON

Search Detected Emails

This service returns information for each email that matches the search parameter(s). Only emails that have a detection (final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC or MALICIOUS) will be searched.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Query	Jinja-templated text containing the value of the query. Example: {{query}}	Required
Days Back	Jinja-templated text containing the value of the days back (default is 7, maximum is 365). Example: 108	Optional
Limit	Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50	Optional

Output of Action:
A JSON object containing detected email list:

JSON

Search All Emails

This service returns information for each email that matches the search parameter(s). All email can be searched, whether it registered a detection or not.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required

Input Name	Description	Required
Subject	Jinja-templated text containing the value of the Subject. Example: {{subject}}	Optional
Alert ID	Jinja-templated text containing the value of the Alert ID(only present for emails with a final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC, or MALICIOUS). Example: {{alert_id}}	Optional
Message ID	Jinja-templated text containing the value of the full Message ID. Example: {{message_id}}	Optional
Recipient	Jinja-templated text containing the value of the Recipient. Example: {{recipient}}	Optional
Sender	Jinja-templated text containing the value of the Sender. Example: {{sender}}	Optional
Since	Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.	Optional
End	Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.	Optional
Limit	Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50	Optional

Output

A JSON object containing email details:

JSON

Release Notes

v2.0.0 - Updated architecture to support IO via filesystem