Document toolboxDocument toolbox

Area 1 Security

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
6 min read
[ 1 Connect Area 1 Security with Devo SOAR ] [ 2 Actions for Area 1 Security ] [ 2.1 List Actors ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Search Indicator (Rate Limit: 4/minute) ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Email Details by Alert ID ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Search All Emails ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 3 Release Notes ]

Area 1 Security offers Application Programming Interfaces (APIs) to expose our phishing campaign rulesets. These APIs both aid research and provide a set of indicators to block using network security edge devices.

Connect Area 1 Security with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Area 1 Security.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Username: Username to access Area 1 Security APIs.

  9. Password: Password to access Area 1 Security APIs.

  10. After you've entered all the details, click Connect.

Actions for Area 1 Security

List Actors

This service returns a list of Actors.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

``` {json}{ "error":null, "has_error":false, "result":"ALL_ACTOR" }

## Return Indicators (Rate Limit: 10/hour) This service returns malicious indicators (file hashes, URLs, domains, and IP address) that we recommend you block at your network edge using proxy devices and firewalls. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Since | [Jinja-templated](doc:jinja-template) text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | | | End | [Jinja-templated](doc:jinja-template) text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | | | Actor | [Jinja-templated](doc:jinja-template) text containing the value of actor. Example: {{actor}} \* Killchain (Optional): [Jinja-Templated](doc:jinja-template) text containing the CSVs of the killchain. Example: {{killchain_1}},3 | | | Killchain | [Jinja-templated](doc:jinja-template) text containing the CSVs of the killchain. Example: {{killchain_1}},3 | | | Cat | [Jinja-templated](doc:jinja-template) text containing the CSVs of the cat. Example: {{cat_1}},targeted | | | Type | [Jinja-templated](doc:jinja-template) text containing the CSVs of the type. Example: {{type_1}},domain | | ### Output A JSON object containing indicator details: ``` {json}{ "has_error":false, "error":null, "threat_name": "Google Credential Harvester", "item_type": "url", "description": "https://api.area1.com/nirvana/google-credential-harvesting.html", "item_name": "www.example.com/a-bad-url/", "first_detected": 1449164991, "threat_categories": [ { "threat_type": [ "Credential Harvester", "Malicious Web Server" ], "category": [ "Universal" ], "killchain": [ "3" ], "actor": [ "CHN1" ] } ] }

Search Indicator (Rate Limit: 4/minute)

This service can be queried with a basic indicator (file hash (MD5/SHA-1/SHA-256), URL, domain, IP Address, or email address) and returns information about the indicator.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Indicator

Jinja-templated text containing the value of indicator of interest. Example: {{indicator}}

Required

Historic

Select value of Historic (Default is False). True/False

Optional

Output

A JSON object containing indicator details:

``` {json}{ "has_error":false, "error":null, "indicator": "example", "first_seen": 1433810886000, "last_seen": 1478200022000, "Hash_ImpHash": "eample", "Hash_authentihash": "example", "type": "Hash_SHA1", "Hash_ssdeep": "example", "disposition": "MALICIOUS", "tlp": "white", "Hash_MD5": "example_md5", "tag_histories": [ { "intervals": [ { "start": 1337347427000, "end": "current" } ], "category": "Actor", "value": "abc" }, { "intervals": [ { "start": 1337347427000, "end": "current" } ], "category": "ThreatType", "value": "Dropper" } ], "family": "file", "Hash_SHA256": "example" }

## List Alerts (Rate Limit: 5/hour) This service returns information of each alert that is generated through the Area 1 Security email product. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Disposition | [Jinja-templated](doc:jinja-template) text containing the CSVs of disposition (Default is malicious). Example: {{disposition}},spam | Optional | | Since | [Jinja-templated](doc:jinja-template) text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | | End | [Jinja-templated](doc:jinja-template) text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional | ### Output A JSON object containing List of Alerts: ``` {json}{ "has_error":false, "error":null, "source": "area1security", "time": 1524570920, "event": { "final_disposition": "MALICIOUS", "attachments": [ { "sha1": "example", "sha256": "example", "content_type_provided": "image/jpeg", "content_type_computed": "image/jpeg", "name": "image003.jpg", "ssdeep": "example", "md5": "example" } ], "smtp_helo_server_name": "mail.example.net", "envelope_to": [ "user@example.com" ], "subject": "Potential Partnership", "smtp_helo_server_ip_as_name": "LIQUIDWEB - Liquid Web, L.L.C, US", "alert_reasons": [ "Malicious previous hop domain server 'mail.example[dot]net'", "no really, it's a very mailicious domain 'example[dot]net'" ], "encrypted_feature_count": null, "message_id": "<example@example.com.ph>", "replyto_name": null, "from_name": "Christine", "smtp_helo_server_ip": "192.168.1.184", "smtp_helo_server_ip_geo": "US/-/-", "smtp_helo_server_ip_as_number": "3232235960", "envelope_from": "christine@example.com.ph", "alert_id": "40VVylabcbz7pJj-2018-04-24T04:41:19", "replyto": "christine@example.com.ph", "from": "CEO Christine <christine@example.com.ph>", "to": [ "user@example.com" ], "ts": "2018-04-24T04:41:19Z" } }

Email Details by Alert ID

This service returns the content of an email given an alert_id from the detection message sent from Area 1.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Alert ID

Jinja-templated text containing the value of the Alert ID. Example: {{alert_id}}

Required

Output

A JSON object containing message content and fileId of message details:

``` {json}{ "has_error":false, "error":null, "email": "body", "fileId": "4153535" }

## Search Detected Emails This service returns information for each email that matches the search parameter(s). Only emails that have a detection (final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC or MALICIOUS) will be searched. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | : -------- | : -------- | : -------- | | Query | [Jinja-templated](doc:jinja-template) text containing the value of the query. Example: {{query}} | Required | | Days Back | [Jinja-templated](doc:jinja-template) text containing the value of the days back (default is 7, maximum is 365). Example: 108 | Optional | | Limit | [Jinja-templated](doc:jinja-template) text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50 | Optional | **Output of Action**: A JSON object containing detected email list: ``` {json}{ "has_error":false, "error":null, "cc": null, "tracking_value_sent": "", "final_disposition": "MALICIOUS", "x_originating_ip": null, "to_name": null, "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place ", "findings": [ { "reason": "IP is a source of spam/uce : Smtp-Helo-Server-Ip='127.0.0[dot]186'", "score": null, "detection": "SPAM", "field": "smtp_helo_server_ip", "attachment": null, "portion": "SMTP", "name": "blocklist", "action": "PROMOTE", "detail": null, "diagnostic": "", "value": "127.0.0.186", "version": null } ], "sent_date": "2019-11-21T00:22:01", "detectionReasons": [ "IP is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>" ], "client_uuid": "abcdef12-3456-7890-abcd-ef1234567896", "from_name": null, "smtp_helo_server_ip": "127.0.0.186", "smtp_previous_hop_ip": "127.0.0.186", "envelope_from": "d1994@example.com", "replyto": "d1994@example.com", "from": "d1994@example.com", "to": [ "email@area1security.com" ], "client_name": "area1", "postfix_ident": "47JJcT1w6GztQV7", "ts": "2019-11-20T23:22:01" }

Search All Emails

This service returns information for each email that matches the search parameter(s). All email can be searched, whether it registered a detection or not.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Subject

Jinja-templated text containing the value of the Subject.

 

Example: {{subject}}

Optional

 

Alert ID

Jinja-templated text containing the value of the Alert ID(only present for emails with a final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC, or MALICIOUS).

 

Example: {{alert_id}}

Optional

 

Message ID

Jinja-templated text containing the value of the full Message ID.

 

Example: {{message_id}}

Optional

 

Recipient

Jinja-templated text containing the value of the Recipient.

 

Example: {{recipient}}

Optional

 

Sender

Jinja-templated text containing the value of the Sender.

 

Example: {{sender}}

Optional

 

Since

Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time).

 

Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.

Optional

 

End

Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time).

 

Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.

Optional

 

Limit

Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000).

 

Example: 50

Optional

 

Output

A JSON object containing email details:

{json}{ "has_error":false, "error":null, "postfix_ident_outbound": "47Jjdp3WRsz11M1D", "final_disposition": "NONE", "envelope_to": [ "rebecca@example.com" ], "subject": "[EXTERNAL] RE: Lost and found", "from": "kelsey@example.com", "message_id": "<DM3P159M258D4E0@DM3P159MB001.PROD.OUTLOOK.COM>", "postfix_ident": "47Jjcz1H88z11M4F", "client_name": "mr. client", "ts": "2019-11-21T15:09:33" }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem