ThreatBot: API Integration, Slack Bots, and Happines


ThreatBot—API Integration, Slack Bots, and Happiness: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at


WILL RODINA: I am here to talk today about threatbot: API integrations, slack bots and happiness.

I hope that's what you're here to learn about.

If not, stay anyway.

It should be a good time.

So putting together a presentation, I read a little guide because this is first time I've ever done this.

And they said, OK, pick a theme that will tie your presentation together, give you some continuity throughout all slide.

So what I have done is I have pulled quotes from one of my favorite books.

I'm not going to name it right now.

Some of you may recognize it.

But I tried to pick a quote that's going to be kind of thematically related to the next section.

So I'll let you know at the end, but maybe you'd guess it.

Who am I?

I said my name's Will, Will Rodina.

I am a cyber threat intelligence analyst.

I do use the term cyber.

I know that's kind of a contentious topic, but I think it's accessible for people who are outside of the technology world.

Even though inside the tech world, some of us roll our eyes when we hear, OK, cyber.

I work for a large financial institution.

They are very picky about not actually having the company name associated with stuff.

If I wanted to include the company name, there's all sorts of extra paperwork involved, and I just want to be clear that I'm not speaking on their behalf at any time.

I can give you a hint.

The name starts with the bank of New York and ends with of New York Mellon.

So it's on my nametag, too, if you see it.

So I just can't write it down anywhere.

A bit of a background.

I came in to cyber threat intelligence from the technical side.

I was a system administrator for a number of years.

So that's my-- that's kind of my background.

I am not-- now, I will give you a little bit of a warning.

I'm not a professionally trained developer at all.

This does involve some Python code.

Those of you who are expert coders and developers are going to look at this and roll your eyes and say, oh, my gosh, what's this guy doing?

As a system administrator, I got pretty good at scripting.

I can do what I refer to as street coding.

It works.

It may not be pretty, but it gets the job done.

Four kids.

Explains my gray hair.

I'm only 22 years old.

I'm just kidding.

Husband of one.

My lovely wife is joining me here for moral support.

And you thought you were going to get out of this without me calling attention, ooh.

Welcome to the thunderdome.

If you will permit me just one brief moment of a personal story about my wife-- it's a lovely shade of red you're wearing.

Last night-- she is very afraid of heights-- and last night after about a dozen drinks, we took a ride on the Capital Ferris wheel.

And we went around two whole times before she pushed the panic button, and we had to get off.

But she is convinced that I'm not proud of her.

So would you please, just a quick round of applause for my wife.

Thank you very much for indulging me.

I appreciate that.

I am in so much trouble.


I have also just started the master's program of applied intelligence at Mercyhurst University, so I've got lots of extra free time.

You can probably tell.

So here I am.

I don't have a Twitter.

I don't have a GitHub.

I don't have a YouTube.

I don't have a SoundCloud.

I don't have anything like that.

I do have email.

I'll put this up again at the end.

If you are interested in reaching out to me afterward, please feel free to drop me a line, also my mobile phone number.

I like the Signal app.

You can also send me a text message.

If you call me, I'd probably won't recognize your number, so I'll let you leave a voicemail.

But that's how you can get a hold of me if you want to ask any questions or insult me or anything like that.

So now I realized that I need to leave sort of an awkward silent pause to give you all time to read the quote that I've decided to put up in between all the slides.

So I'm going to try and not rush everybody but not let it sit there for five minutes either, so.

So, starting off with why am I even here?

Why did I even bother putting a talk together?

So again, I'm an intelligence analyst.

I've also been a SOC analyst.

I work in cybersecurity operations' nuts and bolts every day.

And I think there's-- kind of as a problem statement, I'm not going to say that this is really a problem but this is a challenge.

We need to ensure consistent, timely information that we have access to in order to support an investigation and its incident response.

Is that something that you would all agree with?

I'm hoping most of you will say yes, otherwise I'm in the wrong spot.

I'm going to use the term analyst if I talk about the role.

Please understand that, that would mean a SOC analyst incident responder, a threat researcher, anything like that who might be serving in this kind of capacity.

So, now some actual problems.

If you are like me, I'm on a team that's dispersed throughout the country, throughout the world.

So there's time zones.

There's communication difficulties.

There's just not the same as face to face.

We have-- our team is made up of some diverse backgrounds.

We have folks who, like me, are more technical.

We also have folks who came in from the more intelligence and the more social side.

So depending on who you ask a question, you may get a type of answer depending on their background.

Personal research preferences.

That's always the-- there's these five sites that I always like to look stuff up on, and somebody else uses three of the same ones and two other ones that they use.

And then there's the issues of I can't remember my password for that site or that's a new vendor and I lost my log-in token or I log in and I can never find anything on that stupid site that he likes so much and whatever.

So that breaks up the opportunities for consistency.

And then also, if you are in a group that needs to do peer review, as a sort of intelligence, we put out written products, and we'd like to do that kind of peer review.

It's not just, here's what I came up with, but make sure this reflects the team.

That can add time to whatever it is you're trying to get out if you're in a priority one incident respond-type situation.

Sometimes that's a precious commodity.

So possible solutions.

Magic crystal ball.

How can you work better, work faster?

Just have one infosec.

Is there anybody who's an army of one infosec person for your company?

Maybe some smaller companies, no?


Learn to type faster.

More products, more vendors.

Obviously, I'm being satirical here.

But I think at least you all agree that there is not a real easy silver bullet to some of these challenges that I've addressed.

Maybe CyBot can help.

Now CyBot, wait a minute.

Presentation is called threatbot.

Don't worry, I'll get there.

Lots of things that end with the phrase bot in my talk, so bear with me.

Speaking of bots.

Awkward pause.

So what is CyBot?

Well, I'm glad I asked.

CyBot is an open source threat intelligence chat bot.

It is developed by the fine folks at Cylance, which is now Cylance BlackBerry.

I didn't realize that until, I guess, just this year.

I was talking to one of their team members at Black Hat, and they gave me the thumbs up to include their stuff in my presentation.

I didn't have to pay them or anything.

It was great.

It is designed again for SOC analyst, incident responders, threat researchers.

So just a quick show of hands.

Anybody who use a group chat in their day to day, Slack, IRC, Skype, Microsoft Teams, anything like that?


OK, good.

So just a quick history.

development on this chat bot.

And the idea of a chat bot-- for those of you who may not be familiar-- is sort of an automated program that sits in a chat room, where people type back and forth, and it is just kind of sitting there and will respond to various commands or prompts typed in by users with different types of information.

So that is the idea of CyBot.

Mid 2017, ErrBot Now wait a minute, ErrBot CyBot, threatbot.

What's going on?

Everything's a bot.

I know.

I get it.

I'll try and keep it clear.

ErrBot is a generic chat bot framework.

I'll talk about it in a minute in a little bit more detail.

But the CyBot plugins kind of sit on top of what's called ErrBot and that is another open source tool, free to download, install, runs on multiple platforms.

The Cylance folks took that.

They added a bunch of their own plugins.

And they said, hey, this is probably something that would be useful for the community.

So they kind of formalized it, polished it up, and then released it as an open source framework, CyBot.

I'll give you the URL.

It's on GitHub.

You can download it and install it from there.

In August 2017, it was the first time that they presented about it at Black Hat.

If any of you have been to the Black Hat presentation, you know the arsenal section is where they demo open source tools and things like that.

And it was-- that was where I first ran across it and thought, hey, that sounds pretty cool.

So that's what caught my attention with it from that Black Hat.

Just some statistics.

Again, these are right from Tony at Cylance.

They presented five different times at Black Hat.

There are 32 functions that it can do right now.

We'll go over some of those in a minute.

They use-- over 300 people use it internally.

Thousands of queries every month.

So it scales up very nicely depending on your hardware, and we'll talk about that.

This is kind of their marketing speak.

There's the robust roadmap of the new features, and they really like the community involvement.

So if you end up taking something that you've learned today, taking it back, developing your own little plugin for it, they would like to hear about it.

They like to keep it open source.

They don't want to seem like they're endorsing or providing recommendation for one vendor over another.

You are certainly more than welcome to do that.

As you will see, I did some plugins for ThreatStream.

Now I will mention-- when I said threat stream in here, the good folks at Anomali said, you know, not everybody who comes here is a customer, not everybody has access to ThreatStream.

You may want to make it a little bit more vendor agnostic.

I was kind of impressed that they told me that.

And so what I will say is I'm using ThreatStream, and I also will reference Slack because that is the platform that I use.

But I am assuming that most tip products-- even if you have maybe a homegrown one or something that you put together, open source or another vendor-- it will probably work in the same way.

You will need an API interface to talk to it, but you can probably then script it out.

There's no magic.

There's no secret ThreatStream voodoo that will only work on that platform.

So community supported.

Tony Lee is the gentleman who I've been talking with about this.

He's one of their senior technical directors.

If you're interested in following him, that is his blog.

He talks about the development of CyBot.

He's-- they're currently building some integrations for Microsoft Teams, and so you can kind of see the day to day.

If you think, wow, this is great I need to know more, that's where you can go.

And you can reach out to him for any specific questions.

I don't work for Cylance, obviously.

We mentioned that before.

So any more specific technical type questions or questions about plugins or anything like that, you can go to their team.

They're very responsive.

Anybody think they know the novel so far?


A couple of hands.


All right.

I'm not that old, I swear.

So these next few slides are just kind of an overview of the commands.

I'm not going to read every single word.

I assume you all are very literate and can read.

I'm just going to call out a couple of interesting ones.

So from-- and again, this is-- the idea is from the chat room.

You can run these commands.

Get your results right there in front of you.

Whoever is in the chat room with you can also see them.

So there's one that will query VirusTotal for URL hash.

You can do kind of generic network, WHOIS and there's lookup, GeoIP link on shortening, how many times do we take a look at those URLs or anything like that.

It will take one of those and return the long version.

Link extractor, you can give it a website, and it will give you back all of the anchor, the HTML links from there.

URL decode.

Sometimes a URL is obfuscated with the URL encoding scheme, percent 20, blah, blah, blah, whatever.

That will take it out.


Some more specific threat vulnerability research commands.

If you're dealing with a ransomware and you're not sure which one it is, hey, I've got-- it left me this ransom note on my desktop or it's got this file extension, you can look it up and see if it's known.

Some of these will pull kind of open source databases.

There may be a specific one.

If you're looking up a threat APT group, it will give you some information based on the MITRE ATT&CK framework.

And my brain stumbles over that ampersand sign in ATT&CK every single time.

A ta and ack, but it's pronounced attack.


Very hot.

APT groups.

I believe if you all-- any of you who are familiar with the big Google doc spreadsheet on APT groups, that talks to that, and you can do kind of a free tech search, and it will return what APT groups may be associated with that.

Common hacking tool, CVEs, security news, vulnerability news.

Some of those are more just kind of informational.

Some are more specific.

Miscellaneous commands, it can tell you how your statistics-- how you're using it, how many queries it's run, things like that, time, weather.

I mentioned credit-- mentions credit card like, oh, sweet, credit cards.

All that does is if you have a number that you're not sure is a valid number, it will run it through the algorithm to determine whether or not it is a valid number.

It will not tell you whether it is active.

So please, please keep that in mind.

It's not designed to tell you, yeah, go ahead and use this one.

Time-- Bitcoin, it'll give you the latest Bitcoin conversion, if that's interesting.


Tell me a joke, yeah, OK.

Code name.

I've never had much luck with a code name.

The code names that comes up with are kind of dumb, I think.

But if you are in a place where you need to use code names to refer to specific investigations or instant responses and you don't want to say this is the time that our bank got hacked, you can say this is related to the incident on whatever.

The idea is it can give you a two-word code name.

Your mileage may vary.

All right.

These are the new commands, and I swear this is the last time-- the last slide with commands in it.

This is new stuff that was just released this year in Black Hat.

You can give it a website, and it will pull down and return a screenshot of that website right in your chat room, so you don't have to go to another third-party service to look it up.

You can download a VirusTotal file if you have the proper API key to do so.

It will package it up.

It will include it in a zip file, and it will password it and drop it right in the chat room for you.

And then there's some Cuckoo Sandbox integration.

I don't use that, so I can't speak to those.

But that is what's new.

So that is CyBot.


There's cyber again.

So what do you need?

What do you need in order to make this all happen?

You really need just a very low-end computer.

Now if you're running hundreds of users and thousands of queries every month, you may want to step it up a little bit.

The original CyBot ran on a Raspberry Pi.

It was on Tony Lee's desk for a number of years, and they have now migrated it to an actual data center server.

You can run it on a VM if you have a spare VM host somewhere on your network.

Cloud instance, that's how we use it.

We have it running on a very low-end Unix cloud instance on Amazon and with the usage level that we have and a public static IP address.

It runs about $5 a month.

And my boss and my wife always tell me I need to submit that for reimbursement, and $5 a month just doesn't seem worth it.

But if you start using it more extensively, you may want to take a look at some other option, like maybe that old laptop that's hiding under your bed collecting dust or down stuck in your basement somewhere.

It uses Python.

It does need Python I don't know if that's recent or current.

I don't again-- I don't actually even program in Python, but somehow I managed to make this work.

So if I can do it, you can certainly do it.

That is pretty much it as far as the hardware.

Obviously, it's going to assume you're using some sort of group chat.

The ErrBot framework can talk natively to the ones on the first bullet point, Jabber, IRC, Slack, Telegram.

There are also add-ins if you use-- I've never heard some of these.

Some of the-- in the second bullet point, you can just-- you have to just add a little bit, one more installation.

They are working on integration now with Microsoft Teams, which I guess is going to be the replacement for Skype, and what I have heard is that coding things to talk to Microsoft Teams is a little bit trickier.

So that's kind of taking a little bit more time.

Again, you can follow Tony on his blog if you're interested in that.

So you use one of those, you've got a VM, what do you do?

OK, first thing you need is the ErrBot framework, which I've mentioned.

It is a generic chat interface plugin.

The idea is that you can have this ErrBot framework sitting at the low level, and it will talk to your-- whatever your chat program is of choice.

Why is everything named bot?

I don't know.

I guess it's cool.

It will run on Windows, Mac or Unix.

This is apparently the official website.

There's not an, and it's really just a how-to guide.

There's very little in the way of screenshots.

It's not marketing.

It's really just nuts and bolts, here's how you get it, here's how you run it.

The idea, why do they do it this way, why is there ErrBot, then CyBot, then whatever else in the world that I'm going to talk about is because that way, you can swap out your platform underneath if you decide, hey, I need to scale this up, I need to run it on something bigger than that little teeny laptop that doesn't work.

You can just do a new install of ErrBot on your new platform.

And the CyBot, which sits on top of that-- I'll get to that in a second-- is literally just a folder that you can copy, you can drag and drop right onto the new one.

Bang! You don't have to do anything different.

If you want to change your chat platform, hey, stop using Slack.

Now we're going to use Teams.

You just make the configuration changes in the ErrBot, stop using the Slack server, start using the same server, and everything is seamless.

So it's a lot of moving parts, but it's designed so that you can have that flexibility to move and scale it as you use it.


So CyBot, I mentioned it installs on top of ErrBot.

It's a framework on top of a framework.

We work in technology.

That's kind of par for the course.

As I mentioned, it's a single folder of scripts, easy to install or upgrade.

And you upgrade, you just basically kind of make a backup copy of your current folder.

You can pull the new folder from GitHub, drop it in.

If you've got any custom information, API keys, any-- if you're using it against any internal resources, any internal addresses, and you're upgraded.

So this is where you can find the CyBot code.

It's free.

There's how-to instructions there.

You can also search for CyBot Cylance, and it'll come right up.

It'll be the first link, so.

I did mention to Tony Lee again at Cylance at this Black Hat, right now upgrading to the latest version is a manual process.

So the version that we have at work is still running from two years ago.

I've not upgraded it to the latest and greatest.

And I said, hey, it would be cool if you could have a command to update itself.

So he said, ooh, I like that.

So that might be in the works.

We'll see.


Last piece you need is you need to tell your chat application how to talk to CyBot.

So you need a bot, a chat bot in your Slack or our Slack, depending on what platform you have.

Again, we use Slack.

You will need to check your documentation for the specifics.

If you use Slack, that's very difficult to remember, URL.

Or you can just go to the app store in Slack and say I want a bot, and the first link that comes back should be the official.

There's other chat bots that other developers have put in there.

We're just using the Slack, the official Slack chat bot, and it works fine.


Some of the plugins need API keys.

VirusTotal, Google, ThreatStream, which if you're not sure where to get the ThreatStream, when it's just right in the settings, depending on your user access you may not be someone who has API access on your ThreatStream instance, for those of you to ThreatStream.

Check with your ThreatStream admins.

And again, ThreatStream nothing magic here.

If you have another threat platform that you use, there will be an equivalent.

So I'm not going to share my key, but that's where you can find it.

But that's not why you're here.

Actually, maybe it probably is, a little bit, at least not the only reason.

But-- so let's get into the part that I'm sure you're all eagerly awaiting.

I hope that isn't a threat.

So speaking of threats, ThreatStream, so here we are.

So I took this CyBot install, and I fired it up and thought, boy, that's really useful.

We got some good use out of it on our team here and there, and it'#39;s nice.

Like I said, let everybody see the same research that's being done, lets you kind of do it without having to go log into 10 different sites.

And then I learned that there are ThreatStream API documentations.

Current version is 2.5.5.

Check-- they update it fairly regularly.

They've updated it actually a couple of times since I started doing this, putting this presentation together.

You can get to it from their portal and the Downloads page.

And there is actually a GitHub repository with some sample code.

It's a little bit dated.

The date in it is 2014, but it actually worked out pretty well for what I needed.

The trick is going to be-- and this is where you will need a little bit of technical know-how or someone who can take Python code.

You will have to kind of wrap it in the ErrBot, the CyBot in order to allow it to talk to the bot.

So the bot will speak Python, but you will need to tell it exactly how to invoke what you want to name your functions in the chat room, how to invoke it, how to give it commands and what to do with the data that comes back.

So that's where it will need a little bit of tender loving care.

But the ThreatStream API code is a good place to start.


So this is our chat bot TIG.

TIG stands for threat intelligence group, because I'm terrible at coming up with clever names, but that actually seem to work.

So this is our bot that sits on our Slack chat room and is very smiley, so happy, like I said.

So threatbot.

And I realized that to this point, I had not actually used the term threatbot, which was on the very first slide.

And I thought, well, that's probably poor etiquette.

So threatbot.

So I'm calling this threatbot now, even though our threatbot is named TIG.

So what does TIG have to offer?

TIG will let us speak directly to ThreatStream without having to go log in.

So we have access to any information in the ThreatStream portal right through our Slack channel, right through our chat bot.

The results are there.

And one of the key things that's nice is that people who may be in your chat room who may not have ThreatStream access are able to run the command, get the same results without needing the portal log in.

Now just a caveat.

Please check on your API usage.

If you've got all your 100 Tier 1 SOC Analyst running queries all day long and then you go to use it, and it says, oh, sorry you can't do that right now, make sure you understand what your API usage is.

It will make an API call every time you run a command.

So if you have a limited API or if you have different types of permissions on your API, you'll want to make sure you verify those and test them out before you turn them over to your users.


So I came up with three different commands that I thought would be useful.

So ask ThreatStream about an indicator of compromise and give me the results in the chat room.

And I think the terminology is observable indicator, whatever we want to call it.

The same thing, but, hey, sometimes instead of just having it dumped there, I want it in the CSV format.

So it will take that same observable, that same indicator and return it in something that I can then copy, paste out.

I'm trying to work on having the Python script, actually package that up into a CSV file and dropping the file there for download.

I couldn't get that done in time, but I'll show you what I've got so far.

And then finally, here's an indicator I have.

Let me see if ThreatStream knows of any APT groups that have used this particular indicator.

Now I will mention, these first two will do-- it will do a wildcard search.

It does a regular expression search through the API call.

The third one doesn't.

I don't know why.

That's an API limitation, so you have to put the exact IP or the exact hash, whatever it is.

The other one's whatever portion you put in, it we'll take that and return results.

I have it set on the first one to limit three results.

It will give you the most recent three.

And again, the CSV will return the most maximum, the most recent 100.

You can change that in your script.

I just did that for usage readability screen real estate.

You can set those to whatever you want.

Sometimes you type in something and you get 600 pages of results, and that's not useful.

So three seem to be a good fit that will let us get a pulse, hey, have we seen this before, yes or no, what do we know about it most recently.

If you wanted it in CSV format, it returns a little bit more.

So this is what it looks like.

I type in.

My command is ts, and I just use the word foobar, because why not?

And this is the result that I get back.

So this is TIG telling me back.

I've done the markup.

That is the Slack markup.

That's not a Python function.

The markup is included in the Python script.

So again, you'll need to further your chat platform if you want to do it.

By default, it will just dump out as regular text.

I've highlighted the part that matched.

So it matched in one of the tags.

It will match when you do the intelligence call through the ThreatStream API.

It will match against any of the fields.

There are ways you can design API calls to focus more specifically on certain types of indicators if you're interested, but we just like a generic match.

We usually have something that's granular enough that it's a single IP or a single URL or whatever it may be.

These are the fields that I thought would be interesting.

Again, just to get a pulse, have we seen this, what do we know about this quickly.


And then now, this is visible to everybody who is in the chat room.


If you don't have anything, Zero Cool, doesn't know anything about Zero Cool-- again, I'm not that old-- it tells you couldn't find anything.

And then I did an example of just part of an IP address.

And actually, it gave me better, more interesting results, at least for the purposes of this presentation than I expected it to, because again, I've highlighted the matching parts.

I did 91.40 and I did 91 something, something 40.

It did match-- it matched a 191.40, and it matched the So if you're getting too much, make a more specific query.

I mean, that's basic, how do you search for stuff.


This is what the CSV output looks like.

In the first row is the header row.

So when you copy, paste, you can include that, and it will drop that in.

Slack very helpfully renders colon email colon as a little email envelope, which I didn't want it to do.

It looks goofy.

But if you copy, paste that out of there into a text editor into a spreadsheet, it will actually have the word.

It will not try and paste the emoji in there.

One other thing-- and again, this is a little bit more specific to Slack, it may depend on which one you use-- periodically, it will introduce line breaks wherever it thinks, if there's a different timestamp or something and it's returning the results.

So you may need to do a little bit of cleanup when you paste it in.

Don't just paste it in and send it out without reviewing it just because it may not quite-- some lines are too long and they fold over the next one.

So just take a look at that.

Again, I'm trying to find a way to have it generate that file automatically and then upload it to the channel so that we don't have to do this.

But for now, it works.

Again, street coding, so.

The last one, and this is one that I just kind of newly put together because I thought it'll be interesting, the idea is I can provide an observable indicator, and I want to see if ThreatStream knows which threat groups have used it.

Now this one, it took me a while to find one that came back with more than one result, and this is going to be largely dependent on how you are using ThreatStream or how you use your threat platform.

If you make those associations, if you import indicators and then go in and say associate this indicator with this threat actor, the more consistent you are with doing that, the better results you will end up getting.

And then you can either share those out obviously through ThreatStream, gives you the ability to share that linkage out with the community or keep it to yourself.

So again, the more consistent you are with doing that, the more complete your data is, the better you'll get at this.

But right now, a lot of the times I ran this, and it doesn't return anything, because ThreatStream doesn't know it or it'll just return one.

And what it does, it gives you the kind of one of the names, kind of the main name that it finds for ThreatStream.

There's the name, and then it has a bunch of aliases, and then it will give you a hyperlink right out to there.

So if you do want to take a look at it in the portal, you can do that.

And again, if it doesn't find anything, no bad guys are using local host.

That's probably the thing.

And if your local host is in use by a bad guy, you're far beyond help.

So then, I was going to show you what the code looks like, and this is the code, and screenshots of program code are hard to see.

If you are interested in actually seeing the code, reach out to me via email or text.

I'm happy to make it available.

Don't judge me, it's not pretty, but it works.

But this is what it looks.

Pretty color coded in the text editor, but this does work.

It's not very involved.

Each one of those is a little script, and they're mostly the same and a lot of it is just kind of formatting the API call and then formatting output.

This is the key right here.

These are the API calls that my script is using.

So if you-- and these are again available in the ThreatStream documentation.

The first two are using the intelligence API call, and that lets you do the wildcard thing.

And then one thing that I will know and I've highlighted, the user name in the API key need to be built into that string.

Now I have them because I'm just using my own user ID and my own API key.

I built that into the script, so our users don't have to worry about that.

You can also-- and again, this comes back to API usage limitations.

If you want people to be using their own API keys, you can also build your script to take user name and API key as a command line parameter and then plug those in.

So that's one variable thing again depending on how you'd use it.

You see where the query goes, and again it's got a wildcard regular expression match on either end.

So for the first two, using the intelligence.

And then I've also highlighted where I set the limit.

That's again right on the API call.

And there's other things you can do if you only want a certain indicator type, I only want to see IP addresses, I only want to see whatever.

The API documentation is really pretty good, pretty robust.

Will give you all those details that you need.

And again the sample code as well is there.

The APT code, it does not do that wild card, so you will need to just plugin, type in whatever you want to get out as a sample.

There's lots of other stuff in the API documentation that you can look at.

We'll look at that in a minute.

Now, this is what you get back.

Some of you probably are overwhelmed by looking at this, and some of you will say, like, yeah, I know that's JSON.

That's what the API returns.

It's ugly.

It's a big blob.

That looks pretty different than the screenshot I showed you before.

And if you-- your browser may kind of render it a little bit prettier.

And you can have it return something like this if your users are comfortable with that.

I'm not.

But again, if you're trying to just get it quick and dirty, that works.

So just some usage on-- so let me-- actually, let me go back one.

So based on this, you can do the markup.

I only want certain fields.

You can do the chat bot markup.

You can do whatever in the Python script.

So my Python script pulls this.

It matches the fields that I'm interested in, it adds a little markup on the header and adds line breaks.

So that's how that turns into what you saw before.

So just some usage notes.

We found out pretty quickly that if you start running research in your main chat room channel, it will blow away.

It kind of scrolls up past whatever everybody else was just talking about.

Or if you're trying to research something and there's an active chat going on your research, then it goes up.

So we set up a separate channel just called research, and the idea is you know that's where the chat bot lives.

You can go in there, do your research.

Again, everybody can see-- usually if they subscribe to that channel-- what stuff is going on in there.

Oh, here it is.

So include-- any chat markup that your platform needs, you can include that right in your Python script.

Really, the output will just be delivered as text to the chat platform.

So however that looks, if there's squiggle characters or whatever that do something magical, that's where that comes from.

Can use either-- if you have an on-site on-prem device running your ThreatStream platform or the cloud, one nice thing about if you have it located on your network is you can also then build in your API calls if you have other ticketing system, if you have other internal resources that you would also be interested in using API access to.

Your ThreatStream will kind of fold right into that versus I mentioned we run ours on the Amazon cloud, so we're off network.

Again, that big ugly JSON blob.

Kind of take a look through, figure out what are the fields that would be of interest to you.

Now if all of your SOC analysts have these great big monitors or if you've got them up on the wall in a fusion center or something like that, you can fit a lot more on there versus if everybody has laptops.

That's why you saw I have eight or nine different ones that I thought would be the key.

Keep your least-technical user in mind.

So if you're going to have people put in their API key, they have to know where to save that, they have to know where to get it.

If you're going to return a big ugly blob of JSON and you know somebody is just not going to do with that, you're not saving any time, you're not coming back to how can we be more efficient.

And I will let you know our threat intelligence director is a crispy Old Navy intelligence guy.

Very smart.

His head is really in the intelligence space.

He's very technically competent.

He understands the cyber realm.

But he's just not a techie, he's not a nerd like me, and he is not someone who would go log into a portal to go research an IP address or a file hash necessarily.

That's just not his game.

But he is one of the more frequent users of this capability, checking with ThreatStream just because it's so easy for him, he knows how to do it.

Exclamation point ts and then the IP address, the hash.


And then he knows what he needs to know.

It took him 10 seconds.

So that's my success story, is that he's able to do that.

So that's something you want to keep in mind as you're building your own custom scripts.

If they get too complicated, your people who are less technically comfortable are probably going to not use it.

So some other ideas just that I came up with that may be of interest to you and taking a look through the API documentation.

You can submit a file there.

ThreatStream has a sandbox in it.

You can submit a file or URL to the sandbox.

You can send data that way if you're interested.

There are enrichments.

You can pull enrichment data out from the platform as well.

That's something I've attended a number of talks so far and talking about some of the different enrichments.

ThreatStream in particular is really pushing that integration with other services in a single pane of glass.

I hate that buzzword, that buzz phrase.

You can actually-- the API lets you add or modify content.

So you can import things, you can update tags, you can change the metadata associated with those if you're brave enough to do it, because that's obviously-- right now, I have it rigged for read only.

I don't want to change anything.

And I figure as a control, as a data validation piece, we're going to make people enter it in the platform the right way with those checks rather than assuming that I know what I'm doing when I write a Python script.

Vulnerability information is in there.

That's one of the newer APIs calls.

So on the slide, I have not quite there yet.

Now this is late breaking after I already-- I had it-- send in my slides a couple weeks ago.

My problem with vulnerability information is how do we refer to vulnerabilities.

CVE ID right?

Or just the clever that all the vulnerability names get, but usually CVE.

The API-- the ThreatStream API uses a field called ID, but it is the internal ThreatStream ID number.

It did not have a separate CVE data field.

Now what I found is that some of them, there is a name field, so vulnerability has a name, and some of them have the CVE value as the vulnerability name.

So you can use the name field to search for CVE.

But I am not sure, I haven't taken a look at all of them, so I don't know if they all have the CVE as the name or if some of them have that and some of them have BlueKeep or whatever else it maybe.

So just some other thought, some things you can do.

If you take a look through the API documentation, it's very well put together.

It's very straightforward.

Gives examples and everything like that, you can come up with kind of your own use cases.

So again, recap, going with the idea of when you give a presentation, tell them what you're going to tell them, tell them, and then tell them what you just told them.

So we come back to we want that consistent, timely information to support investigations or incident response.

Depending on a work situation, there can be difficulties, there can be time delays, communication, things like that, making sure everybody's on the same page, especially in a high profile or time-sensitive situation.

CyBot can help you get there a little bit quicker if you use a group chat.

And that's it for me.

So again, my contact information is here.

Please feel free.

Like I said, any questions.

If you want to see the code, send me an email.

I'll make it available in some way, Google Docs or some kind of sharing.

Probably not GitHub.

GitHub scares me.

Thanks for listening.

Appreciate it.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.