Document toolboxDocument toolbox

Flashpoint

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
6 min read
[ 1 Connect Flashpoint with Devo SOAR ] [ 2 Actions for Flashpoint ] [ 2.1 Get Attribute ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Attributes ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Get Event ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Get Events ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Search Datasets ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 3 Release Notes ]

Flashpoint is the globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet

Connect Flashpoint with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Flashpoint.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your Flashpoint instance. Example: https://fp.XXXX/api/v4.

  9. API Key/Token: API Token to Authenticate Flashpoint.

  10. After you've entered all the details, click Connect.

Actions for Flashpoint

Get Attribute

This action is used to gather an attribute from the indicators API.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Attribute ID

Jinja-templated text containing the UUID or FPID that identifies a particular attribute.

Required

Format

Jinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP format

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • response: SUCCESS

Get Attributes

Method to gather attributes from the indicators API. This method is used to retrieve a list of indicators of compromise (IOCs) that occur in the context of an event.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Explode Results

Explode each result in a separate row. (Default is Yes)

Optional

Limit

Number of results to fetch. (Default is 1000)

Optional

Format

Jinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP format

Optional

Start Date

Jinja-templated column name from the parent table that contains start date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

End Date

Jinja-templated column name from the parent table that contains end date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Updated Since

Jinja-templated text containing the values created after the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Updated Till

Jinja-templated text containing the values updated or created until the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Search Tag

Jinja-templated text containing the Search for a keyword inside the Tags. Can have multiple keywords in a list, such as malware, ransomware.

Optional

Search Field

Jinja-templated text containing the Search specific value types. This should be a string of the format a=something, b>10 for each comparison.

Optional

Attack IDs

Jinja-templated text containing a comma-delimited list of MITRE ATTACK ids to filter events by.

Optional

Sort Timestamp

Jinja-templated text containing the Sort by the timestamp, either asc or des

Optional

Report

Jinja-templated text containing the items related to a specific report, identified by its FPID.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • response: SUCCESS

Get Event

Method to gather an event from the indicators API.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Event ID

Jinja-templated text containing the UUID or FPID that identifies a particular event.

Required

Format

Jinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP format

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of each model

Get Events

Method to gather events from the indicators API. This method is used to gather a list of events. Events are groupings of different indicators of compromise that contain metadata about the situation where these indicators have been observed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Explode Results

Explode each result in a separate row. (Default is Yes)

Optional

Limit

Number of results to fetch. (Default is 1000)

Optional

Format

Jinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP format

Optional

Start Date

Jinja-templated column name from the parent table that contains start date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

End Date

Jinja-templated column name from the parent table that contains end date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Updated Since

Jinja-templated text containing the values created after the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Updated Untill

Jinja-templated text containing the values updated or created until the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2y

Optional

Search Tag

Jinja-templated text containing the Search for a keyword inside the Tags. Can have multiple keywords in a list, such as malware, ransomware.

Optional

Search Field

Jinja-templated text containing the Search specific value types. This should be a string of the format a=something, b>10 for each comparison.

Optional

Attack IDs

Jinja-templated text containing a comma-delimited list of MITRE ATTACK ids to filter events by.

Optional

Sort Timestamp

Jinja-templated text containing the Sort by the timestamp, either asc or des

Optional

Report

Jinja-templated text containing the items related to a specific report, identified by its FPID.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of each model breach

Search Datasets

General search method. This method is used to execute queries against the Flashpoint Search API. It accepts a variety of keyword arguments corresponding to the Search API parameters. It also accepts a basetypes parameter to easily run broad queries on specific basetypes.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Explode Results

Explode each result in a separate row. (Default is Yes)

Optional

Basetypes

Jinja-templated text containing a list of basetype strings. The module fp_sdk. basetypes exists to assist with using basetypes. Example: ["conversation", "chat", "telegram", "container"]

Optional

Query

Jinja-templated text containing the Free text search query using ES URI search. Either query or q parameter is required. If both are provided the query takes precedence and q is ignored.

Required

Limit

Number of results to fetch. (Default is 1000)

Optional

Sort

Jinja-templated text containing a list of field:order pairs to sort the results by. Example: [“created_at:desc”, “author:asc”]

Optional

Source

Jinja-templated text that return _source object from returned hits

Optional

Fields

Jinja-templated text containing a list of fields to search against. Applies to query terms that don’t have fields names explicitly set in the query string.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of Breach ID details

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.0.1 - Added 5 new actions.