Anomali ThreatStream
Anomali ThreatStream
Anomali ThreatStream
Installation Guide
Version: 5.3.5
Support
Support Portal https://support.anomali.com
Email support@anomali.com
Phone +1 844-4-THREATS
Twitter @anomali
Documentation Updates
Date Product Version Description
Hadoop Hive 49
Infoblox 51
LogRhythm 53
NitroSecurity 54
Palo Alto Networks 55
QRadar API 57
Force Synchronizing IOC Update 58
QRadar (Deprecated) 60
RSA NetWitness 61
Splunk 67
Syslog 72
Tanium 73
Available Integrations 6
Anomali ThreatStream Link is the software for integrating your existing security infrastructure to
Anomali's ThreatStream platform (in the cloud) or to the on-premise ThreatStream Appliance.
ThreatStream Link connects to the ThreatStream platform or the ThreatStream Appliance and pulls
rich, cyber threat intelligence feeds into existing tools and infrastructure thus bringing real-time
intelligence into your existing security solutions to provide operational efficiency and relevancy to
current security technologies. It can output this data in many formats such as CSV, Syslog, and
Common Event Format (CEF), and can also directly integrate with security solutions in your network.
In most cases, ThreatStream Link pushes threat intelligence into your existing security solutions.
However, for security products that support pulling information from other sources, ThreatStream Link
can be configured to serve threat intelligence.
The following illustration shows how ThreatStream Link integrates the ThreatStream cloud platform
with your existing security solutions:
The following illustration shows how ThreatStream Link integrates the ThreatStream Appliance with
your existing security solutions:
Available Integrations
As of this release, ThreatStream Link can forward threat intelligence to the following products. See
"Supported Indicator Types for Integration Destinations" on page 80 for supported indicator types for
Splunk
QRadar
NitroSecurity
LogRhythm
AccelOps
RSA NetWitness
DNS Infoblox
Any product that can use threat intelligence in CSV, CEF, or Syslog format
System Requirements 9
Prerequisites 9
A single instance of ThreatStream Link can connect to multiple destinations. For example, you can
install ThreatStream Link on a system in your network to provide feeds to multiple SIEM servers in your
network, as shown in the illustration on "Introduction" on page 5. However, a single instance of
ThreatStream Link must have one threat intelligence sourcethe ThreatStream cloud platform or the
ThreatStream appliance.
System Requirements
ThreatStream Link must be installed on a system that meets the requirements listed in the following
table. Not all ThreatStream Link sources and destinations are supported on all systems. See "System
Requirements" above for details.
Platform Specifications
Linux (64-bit) l Any RedHat, CentOS, Fedora, Ubuntu & Debian release, running kernel
version 2.6 or later
l Server 2012
Prerequisites
l For using ThreatStream Link with the ThreatStream cloud platform:
n You must have a ThreatStream account to download and install ThreatStream Link. If you do not
have an account, register at https://ui.threatstream.com.
n The system on which ThreatStream Link will be installed must be able to access the Internet,
specifically the ThreatStream API at https://api.threatstream.com/.
n The system on which ThreatStream Link will be installed must be able to make an HTTPS
connection to the appliance.
l Check the "ThreatStream Link Integrations" on page 29 section for requirements specific to the
destinations you will be configuring for ThreatStream Link.
Support Matrix
Use the following table to determine the supported platform for your ThreatStream Link integration.
LogRhythm No Yes
Note:
l Refer to "System Requirements" on the previous page to ensure that you pick a supported
platform for your ThreatStream Link source or destination.
l The Optic Link-5.3.5.win32.msi file is applicable for both, 32-bit and 64-bit, versions of
Windows.
1. If the ThreatStream Link source is the ThreatStream cloud: Log in to the ThreatStream platform at
https://ui.threatstream.com from a system on which you want to install ThreatStream Link.
If the ThreatStream Link source is the ThreatStream Appliance: Connect to your appliance's UI
from a system on which you want to install ThreatStream Link.
4. In the ThreatStream Link section, click the platform (Windows or Linux) for which you want to
download the ThreatStream Link installation software.
The installation files for the platform you chose (.msi for Windows and .bin for Linux) are
downloaded to your system.
1. Ensure that the .bin installation file you downloaded earlier is located on the Linux server.
chmod +x opticlink_5.3.5_linux64.nnn.bin
3. If the ThreatStream Link source will be the ThreatStream cloud, enter this command:
./opticlink_5.3.5_linux64.nnn.bin
./opticlink_5.3.5_linux64.nnn.bin -- -a https://appliance
where appliance is the IPaddress or the fully qualified domain name (FQDN)of the ThreatStream
appliance, and nnn is the build number.
4. Step through the configuration wizard and enter the following information.
ThreatStream Settings
Enter ThreatStream Link Directory or folder where you want to install ThreatStream Link.
installation directory For example, /opt/threatstream_link or c:\program files(x86)
\anomali\threatstream_link.
ThreatStream user name User name for the account to use for ThreatStream Link on the
ThreatStream platform or the ThreatStream appliancethe threat
intelligence feed source you are integrating with.
ThreatStream APIKey APIKey you copied when you downloaded ThreatStream Link.
Default: Yes
Choose Yes, if this is the first time you are installing ThreatStream
Link on this system.
Proxy Setting
ThreatStream Settings
Default: No
Configure Integration
ThreatStream Settings
Which product(s) would Depending on the product you select from the list, you are
you like to integrate with? prompted for settings relevant to that product. For example, if you
select Splunk, you are prompted to enter the Splunk version
number, the search head information, and so on.
Notes:
Friendly name to track this Default: Hostname of the machine running ThreatStream Link.
installation
This name is used to identify specific configurations in the
opticlink.cfg file and is displayed under My Sensors on the
ThreatStream Dashboard.
Example: ESM_NY
Recommended: Yes
ThreatStream Settings
Note: If you are not logged in a root (for Linux) or Run as administrator (for Windows), you
will not be prompted for the following settings.
ThreatStream Settings
For integrations such as Palo Alto Networks and Accel Ops, install
ThreatStream Link to run as a service to ensure that these
integration points can establish a connection with ThreatStream
Link to download indicators at any time.
Poll frequency for new Time interval with which ThreatStream Link should check with the
indicator/software/content ThreatStream service to pull updated threat intelligence and
software updates. For example, 5m (for 5 minutes), 1h (for one
hour), 1w (for one week).
Default: 1h
5. The configuration values you specified are written to a configuration file. The following message is
displayed on your screen:
6. Start the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
Service" on page 23.
n Carbon Black
n AccelOps
n RSA NetWitness
See "ThreatStream Link Integrations" on page 29 to complete configuration for these integrations.
1. Double click the Optic Link-5.3.5.win32.nnn.msi file you downloaded to start the installation.
Note: The Windows installer does not require user interaction and automatically installs the Optic
Link software.
Once installation completes, confirm that the following directories and files exist:
2. If the ThreatStream Link source will be the ThreatStream cloud, enter this command:
opticlink_windows_service -s
3. Step through the configuration wizard and enter the following information.
ThreatStream Settings
Enter ThreatStream Link Directory or folder where you want to install ThreatStream Link.
installation directory For example, /opt/threatstream_link or c:\program files(x86)
\anomali\threatstream_link.
ThreatStream user name User name for the account to use for ThreatStream Link on the
ThreatStream platform or the ThreatStream appliancethe threat
intelligence feed source you are integrating with.
ThreatStream Settings
ThreatStream APIKey APIKey you copied when you downloaded ThreatStream Link.
Default: Yes
Choose Yes, if this is the first time you are installing ThreatStream
Link on this system.
Proxy Setting
ThreatStream Settings
Default: No
Configure Integration
ThreatStream Settings
Which product(s) would Depending on the product you select from the list, you are
you like to integrate with? prompted for settings relevant to that product. For example, if you
select Splunk, you are prompted to enter the Splunk version
number, the search head information, and so on.
Notes:
Friendly name to track this Default: Hostname of the machine running ThreatStream Link.
installation
This name is used to identify specific configurations in the
opticlink.cfg file and is displayed under My Sensors on the
ThreatStream Dashboard.
Example: ESM_NY
Recommended: Yes
ThreatStream Settings
Note: If you are not logged in a root (for Linux) or Run as administrator (for Windows), you
will not be prompted for the following settings.
ThreatStream Settings
Poll frequency for new Time interval with which ThreatStream Link should check with the
indicator/software/content ThreatStream service to pull updated threat intelligence and
software updates. For example, 5m (for 5 minutes), 1h (for one
hour), 1w (for one week).
Default: 1h
4. The configuration values you specified are written to a configuration file. The following message is
displayed on your screen:
On Windows 2003:
opticlink_windows_service install
Note: This step is essential even if you chose to install ThreatStream Link as a service during
the installation wizard. Make sure you have selected the "Run as administrator"option on the
Windows system when performing this step.
6. Start the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
Service" on the next page.
n Carbon Black
n AccelOps
n RSA NetWitness s
See "ThreatStream Link Integrations" on page 29 to complete configuration for these integrations.
l You must be logged in as a user with administrator privileges to start and stop ThreatStream
Link on Windows.
l If you are integrating with Splunk that is installed onWindows, make sure that the
ThreatStream Link service is configured to run as the user who is installing ThreatStream Link;
otherwise threat intelligence copy to the shared folders on Splunk will fail.
3. (Optional) Right click and select Properties and change the "Startup type" to Automatic to start
the service automatically.
On Linux
Note: The following commands must be run as user root.
<install_path>\opticlink_windows_service -s
Note: Anomali recommends using the -s option, as shown in the above procedure, to rerun setup.
If you use the -i option instead, you will need to first disable the ThreatStream Link service, rerun
the setup, and re-enable the ThreatStream Link service. If you must use the -i option, first change
this setting in the opticlink.cfg file: opticlink_service = yes to opticlink_service = no. Save the .cfg
file and rerun the setup with -i. After rerunning the setup, restore the opticlink_service setting to
yes.
On Linux
To rerun the ThreatStream Link setup:
1. Log in as root.
<install_dir>/opticlink -s
3. Ensure that all files were successfully removed from the following directories:
n ProgramData\Optic Link
On Linux
1. Log in as root.
Understanding Filters 26
Specifying Filters 27
Troubleshooting Filters 28
Understanding Filters
By default, the ThreatStream Link downloads consist of all intelligence applicable to your destinations
and includes all fields. However, you may be interested in threat intelligence that matches specific
indicators or conditions. For example, you may be interested in only downloading threat intelligence
that matches specific indicators such as only indicators with a specific confidence, severity, or specific
threat type.
You can configure ThreatStream Link to download threat feeds that are specific to the criteria of your
choice. Doing so not only customizes the threat intelligence to your needs but also reduces the size of
the download.
You need to set up a filter to tailor the threat feed to your infrastructure. You can set up two types of
filters onThreatStream Link:
There can be only one source filter per ThreatStream Link instance. Not all fields available on
ThreatStream are supported for a source filter. See the "Fields" on page 75 for a list of supported
fields.
Destination filters are destination specific; therefore, you can set up a unique filter for each
destination. Not all fields available onThreatStream are supported for a destination filter. See the
"Fields" on page 75 for a list of supported fields.
Specifying Filters
A syntax of a filter consists of one of the following:
Note:
l The field names, operator names, and values are case sensitive. A list of allowed values
for the field types is available at "Fields" on page 75.
l Although the value for string field types only needs to be enclosed in double quotes (" ") if the
string value contains special characters such as a space, dash, slash, and so on, as a best
practice always enclose string values in double quotes.
If you need to search for specific indicator values, use the srcip, domain, md5, and url fields along with
itype, as shown in Example #3 below.
See See "Fields for Filtering" on page 75 for a complete list of fields, operators you can use, and the
indicator types available for filtering.
Note: Although the value for string field types only needs to be enclosed in double quotes (" ") if the
string value contains special characters such as a space, dash, slash, and so on, as a best
practice always enclose string values in double quotes.
Examples:
4. ((itype != "bot_ip" AND confidence >= 75) OR (itype = "bot_ip" AND confidence >= 99)) AND
classification = "public"
5. confidence > 75 AND (itype startswith apt OR itype startswith mal OR itype startswith c2)
Specifying stream_id=0 returns IOCs that are not associated with any streams, such as IOCs that
were imported into ThreatStream The source field is useful in filtering IOCs from a specific
source, such as a user, a company, or a specific domain. This field is supported on ThreatStream
Link, as shown in the example above.
To limit the filter to IOCs imported by a specific source and marked private, modify this filter to
(itype="scan_ip" OR itype="mal_ip") AND (classification="private" AND stream_
id=0 AND source="@mycompany.com")
Troubleshooting Filters
If a filter you enter is invalid, use the following tips to troubleshoot the syntax of your filter:
l Field names, operator names, and values are case sensitive. Ensure that you used the
expected case. Boolean operators must be entered in upper case.
l Ensure that you are using valid operators with a field type. For example, do not use the startswith
operator with a Date field.
l Not all fields are supported for source and destination filtering on ThreatStream Link. Ensure that
you are using supported fields for source and destination filters.
AccelOps 30
ArcSight ESM 37
Carbon Black 38
BroIntel 43
CEF 44
Cloudera Impala 45
CrowdStrike 47
CSV 48
Hadoop Hive 49
Infoblox 51
LogRhythm 53
NitroSecurity 54
QRadar API 57
l Do not use the sameThreatStream Link installation to serve indicators to QRadar API, Palo Alto
Networks firewall, AccelOps, and RSA NetWitness destinations.
l AccelOps integration with ThreatStream Link requires about 40 GBof disk space on the
ThreatStream Link system. Make sure that the ThreatStream Link system is provisioned for
sufficient disk space.
l DO NOT create more than one list to retrieve IP-based indicators from the same ThreatStream
Link on an AccelOps system. Doing so can cause indicators to get out of sync between AccelOps
and ThreatStream Link.
Integration Settings
You must configure these settings if you enter "accelops" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
AccelOps Default:4.4
version:
Version of AccelOps with which you want to integrate.
Setting Description
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this not want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
Use these steps to enable AccelOps to recognize ThreatStream Link's self-signed certificate:
2. Copy the ssl_cert.pem file to the /root/ directory on the AccelOps server.
6. Add the following entry to the hosts file on the AccelOps server:
<IP_address_of_Optic_Link> opticlink
Note: It is very important to enter this entry accurately. Not doing so will result in the self-
signed certificate not being recognized on AccelOps.
1. After ThreatStream Link has been installed but not yet started, rename the <install_
dir>/scripts/ssl_key.pem file to another name such as orig_ssl_key.pem.
2. Start ThreatStream Link service, as described in "Starting and Stopping ThreatStream Link
Service" on page 23.
Note: Make sure you perform these steps only after configuring AccelOps to either use HTTPSor
HTTPto communicate with ThreatStream Link, as described previously in this section.
Follow these instructions to configure AccelOps system to start receiving indicators from
ThreatStream Link:
2. Run the following command to SCPthe file to the following folders on the AccelOps system:
a. Run this command and locate the process IDs of the two Java processes running on the
AccelOps system:
kill -9 <process_id_1>
kill -9 <process_id_2>
4. Connect to the AccelOps user interface and configure the following three lists to retrieve indicators
from ThreatStream Link:
n TS_Blocked_DomainsCreate this list under Blocked Domains.It will be used for domain
indicators.
n TS_Blocked_URLsCreate this list under Blocked Domains. It will be used for URL
indicators.
n TS_Blocked_IPCreate this list under Blocked IP. It will be used for IPindicators.
Note:
l The names specified here are suggestions. You can use names of your choice.
l DO NOT create more than one list to retrieve IP-based indicators from the
sameThreatStream Link on an AccelOps system. Doing so can cause indicators to get out of
sync between AccelOps and ThreatStream Link.
b. Click Update.
d. Click Add.
Plugin If you will be configuring AccelOps to perform a full update to update indicators
class from ThreatStream Link, skip this field.
com.threatstream.IntelligenceUpdateService
Data For a full update every time, select CSV and Full.
Format
For an incremental update, select Custom and Incremental.
Data
Mapping Note: Configure this field only for full updates. The Plugin class provides
mapping for incremental updates.
For TS_Blocked_IPs list, map the Data Mapping fields as shown in the
following figure.
2. Click Save.
If you chose Full Update option for indicator updates, configure a schedule for your AccelOps
system to download indicators from ThreatStream Link. As a best practice, you can configure the
full update schedule such that it runs after ThreatStream Link downloads the latest indicators.
If you chose Incremental Update, you must ensure that the ThreatStream Link download schedule
is tightly coordinated with the incremental update schedule. The incremental update must occur
right after ThreatStream Link downloads the latest indicators from ThreatStream and definitely
before the next round of indicators are downloaded on ThreatStream Link. Doing so will ensure
that a synchronization between the latest indicators getting downloaded on ThreatStream Link and
AccelOps picking up those indicators. For example, if ThreatStream Link is scheduled to every
hour with the updates starting at 10 minutes past each hour and finishing in 30 minutes, configure
AccelOps to start hourly at 50 minutes past the hour.
ArcSight ESM
Integration Settings
You must configure these settings if you enter "arcsight_esm" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Version of ArcSight ESM that you want to integrate. Versions 5.2, 6.0, and 6.5 are
supported.
Port on the ESMserver to which ThreatStream Link will connect to download the
ThreatStream content.
ESMuser User name ThreatStream Link will use to connect to the ESMserver.
name:
Syslog host: Name or IPaddress of the Syslog server to which the ThreatStream intelligence
will be downloaded.
Port on the Syslog host to which ThreatStream Link will connect to download the
ThreatStream intelligence.
Carbon Black
Guidelines
When threat intelligence is pushed from ThreatStream Link to Carbon Black:
l You must create a folder on the Carbon Black server where the threat intelligence through
ThreatStream Link will be downloaded. For example, create a folder /tmp/ts for threat intelligence
from ThreatStream.
Note: This folder must exist on the Carbon Black server before you configure a Carbon Black
destination on ThreatStream Link.
l A user with SSH access privileges to the Carbon Black server must exist. You will need to provide
the user name of such a user during the configuration of a Carbon Black destination on
ThreatStream Link.
l You must enable the General Sharing Settings - Enable Alliance Communication on Carbon Black.
Integration Settings
You must configure these settings if you enter "carbonblack" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Threat intelligence from ThreatStream to Carbon Black contains IP, domain, and MD5-based
indicators.
Threat intelligence can be either pushed from ThreatStream Link to the Carbon Black server or the
Carbon Black server can pull it.
When ThreatStream Link pushes threat intelligence, it downloads and securely copies the threat
intelligence files to the Carbon Black server, and then makes a REST API call to load those files in the
Carbon Black server.
When Carbon Black fetches threat intelligence, the Carbon Black server makes an HTTPor HTTPS
connection to ThreatStream Link.
Once threat intelligence has been loaded to a Carbon Black server, you can view threat reports, set up
alerts, watchlists, and so on from the Carbon Black "alliance-feeds" UIpage. See "Additional
Configuration After Installing ThreatStream Link " on the next page for more information.
Setting Description
Carbon Black server url: URL(of the Carbon Black server) that ThreatStream Link will use to
make the REST call to load the threat intelligence files to the Carbon
Black server.
ThreatStream Link will use this token to connect to the Carbon Black
server.
Carbon Black folder for Name of the folder to which ThreatStream Link will copy
ThreatStream feed: ThreatStream intelligence from ThreatStream.
SSHport: Default: 22
Filter expression for this Criteria by which threat intelligence will be filtered to the destination. If
destination: you do not want to use a filter, leave this field blank. Example:
modified_ts > -14d.
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on
page 82 for indicators you can specify in the filter.
Setting Description
Default: password
Select "password" if you will use user name and password for
authenticating.
Select "public key" if you want to utilize SSH key pair for
authentication. See "SSH Key Pair Generation" on page 92 for more
information about setting up an SSHkey pair.
SSH private key: l If you selected password, enter the password for the SSH user.
SSH private key password: l If you selected public key, enter the SSHprivate key and the
SSHprivate key password.
Specify the port on Optic Link that Carbon Black server will connect to
for fetching threat intelligence.
Default: No
If you configured ThreatStream Link such that the Carbon Black server will fetch threat intelligence
from it, you must add a new feed on the Threat Intelligence Feeds page as shown in the following
example. Change the IPaddress shown in the Feed URL field to the IPaddress of your ThreatStream
Link.
By default, the maximum number of indicators you can download is 10,000. Adhering to this limit
ensures optimal performance and also eliminates indicators with lower priority. Anomali suggests
specifying a filter (or fine tuning the filter if one exists already) to limit the number of indicators to the
allowable limit. You can filter indicators that are downloaded to the Carbon Black server by specifying
criteria, such as (confidence >= 90 AND (itype startswith "c2" OR itype startswith "apt")). See
"Configuring Filters" on page 26 for more information.
Configuring Alerts
To receive alerts when an indicator from ThreatStream matches data on Carbon Black, click Create
Alert, as shown in the following figure.
When ThreatStream Link updates threat indicators on Carbon Black, it updates threat intelligence
based on the schedule specified in the "Poll frequency for new content" setting during the ThreatStream
Link installation. (By default, 1 hour).
In both cases, the existing ThreatStream indicators are removed and replaced with the latest ones.
Note: The Incremental Sync option available on the ThreatStream widget (under the Actions drop
down), on the Threat Intelligence Feeds page, is inactive and does not update intelligence from
ThreatStream. Threat intelligence is always updated automatically through ThreatStream Link,
based on the specified schedule.
BroIntel
Integration Settings
You must configure these settings if you enter "bro_intel" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Examples:/opt/threatstream or c:\programdata\Optic
Link
CEF
Integration Settings
You must configure these settings if you enter "cef" as the response for "Which product(s) would you
like to integrate with:" question during the ThreatStream Link installation.
Setting Description
CEF file Specify a name for the CEFfile to which intelligence from
ThreatStream is downloaded.
Example: TS_top1000
Cloudera Impala
Guidelines
The following guidelines must be followed to ensure that you adhere to a supported integration setup for
Cloudera Impala:
l ThreatStream Link must be installed on a node in the Hadoop cluster; ThreatStream Link installed
on a machine outside the cluster is not a supported configuration.
l The user account used to install ThreatStream Link must have read-write access to HDFS.
l The machine on which ThreatStream Link is installed must have the Impala shell client (for non-
secured clusters) and the Beeline JDBCclient for Kerberos-secured clusters.
l If the Hadoop cluster is Kerberos-secured, make sure that the Kerberos ticket being used by
ThreatStream Link to authenticate with the cluster stays valid. If the ticket expires, communication
with ThreatStream Link will break and you will receive an error.
l If the Hadoop cluster is Kerberos-secured, do not run ThreatStream Link service in the background.
Integration Settings
You must configure these settings if you enter "cloudera_impala" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Is Kerberos Yes or No
enabled on Hadoop
Default: Yes
cluster:
If your Cloudera Hadoop cluster is configured to use Kerberos for
authentication, accept the default value and configure the next four settings.
If your Cloudera Hadoop cluster does not use Kerberos, enter No and go to the
last setting in this table"Impala host" on the next page.
Setting Description
Impala LDAP/AD
authentication
Default: LDAP/AD
protocol:
Currently, only LDAP authentication is supported on Impala. If you need to
support any other authentication method, contact Anomali Customer Support.
LDAP/AD User name that ThreatStream Link will use to authenticate with Impala.
authentication user
name:
Impala host Name of the node on which Impala is installed in the Hadoop cluster.
Default: [localhost]
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this destination: not want to use a filter, leave this field blank. Example: modified_ts > -14d.
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
CrowdStrike
Integration Settings
You must configure these settings if you enter "crowdstrike" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
CrowdStrike User name ThreatStream Link will use to connect to Falcon Host to make the
APIuser: APIconnection.
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this not want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
CSV
Integration Settings
You must configure these settings if you enter "csv" as the response for "Which product(s) would you
like to integrate with:" question during the ThreatStream Link installation.
Setting Description
CSV directory The directory where the CSV file should be written on the destination.
Hadoop Hive
Guidelines
l ThreatStream Link must be installed on a node in the Hive cluster; ThreatStream Link installed on a
machine outside the cluster is not a supported configuration.
l The user account used to install ThreatStream Link must have read-write access to HDFS.
l The machine on which ThreatStream Link is installed must have the Hive shell client (for non-
secured clusters).
Integration Settings
You must configure these settings if you enter "hadoop_hive" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Is authentication Yes or No
enabled for Hive:
Default: No
If authentication is enabled, enter Yes and configure the next four settings.
Hive LDAP/AD
authentication
Default: LDAP/AD
protocol:
Currently, only LDAP authentication is supported.
LDAP/AD User name that ThreatStream Link will use to authenticate with Hive.
authentication
user name:
Setting Description
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this not want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
Infoblox
Guidelines
l Infoblox 7.2 is the supported version.
l Make sure that the user you specify in the settings below has the permission to create an RPZ zone
on Infoblox.
l Make sure that the file "rpz.csv" does not exist in the directory where ThreatStream Link is
installed. If this file exists already, an RPZ zone will not be created for the ThreatStream feed.
Integration Settings
Threat intelligence from ThreatStream to Infoblox contains domain-based indicators.
You must configure these settings if you enter "infoblox" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Threat intelligence to Infoblox is downloaded to a local Response Policy Zone (RPZ) for Infoblox 7.2.
Setting Description
Filter expression for this Criteria by which threat intelligence will be filtered to the destination. If
destination: you do not want to use a filter, leave this field blank. Example: modified_
ts > -14d.
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on
page 82 for indicators you can specify in the filter.
Infoblox user: User name for connecting to the Infoblox appliance. This user must have
the permission to create an RPZ zone.
Setting Description
l Priority for this zone: Default: 0; see the Infoblox documentation for
more details about this option.
If you answer No to this question, you must create an RPZ zone, restart
the DNS serve, and provide that information to complete the Infoblox
configuration for ThreatStream Link.
Default: Passthru
See the Infoblox documentation for more details about this option.
LogRhythm
Guideline
l Optic Link must be installed on the same Windows system on which LogRhythm is installed.
Integration Settings
You must configure these settings if you enter "logrhythm" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
LogRhythm Default:6.3
version:
Version of LogRhythm with which you want to integrate.
Note: Do not enclose the path in single or double quotes even if the path
includes a space. Doing so may result in an error during ThreatStream Link
installation.
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do not
for this want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
NitroSecurity
Integration Settings
You must configure these settings if you enter "nitro" as the response for "Which product(s) would you
like to integrate with:" question during the ThreatStream Link installation.
Setting Description
NitroSecurity Default:9.3
version:
Version of NitroSecurity running in your network environment. Currently, only
version 9.3 is supported for ThreatStream Link.
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this not want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
If you want to use this certificate, you must make sure that your Palo Alto Networks firewall is
properly configured to work with it.
If you do not want to use the default certificate, you can replace it with your own certificate. The
new certificate file must be named ssl_cert.pem, and must be located in the
/opt/threatstream/scripts directory.
l If you do not want to use HTTPS but HTTP for communication, rename the following file on
ThreatStream Link:
/opt/threatstream/scripts/ssl_cert.pem
You will need to restart the ThreatStream Link service, as described in "Starting and Stopping
ThreatStream Link Service" on page 23.
l If you are upgrading to this version of ThreatStream Link, make sure you are aware of this change:
Prior to ThreatStream Link version 5.2, Palo Alto Networks integration with ThreatStream Link
required a different self-signed certificate file. If you are currently using that certificate and HTTPS
to communicate between the Palo Alto Networks firewall and ThreatStream Link, you must
reconfigure the Palo Alto Networks firewall to accept the new certificate available in the file, ssl_
cert.pem, after upgrading to this version of ThreatStream Link.
l Make sure that the machine on which ThreatStream Link is installed allows inbound
TCPconnections for the HTTP service port you configure in "Integration Settings" below
l Do not use the sameThreatStream Link installation to serve indicators to QRadar API, Palo Alto
Networks firewall, AccelOps, and RSA NetWitness destinations.
Integration Settings
Threat intelligence from ThreatStream to Palo Alto Networks contains IP-based indicators.
You must configure these settings if you enter "paloaltonetworks" as the response for "Which product
(s) would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Port on which the Palo Alto firewall will connect to ThreatStream Link to
download indicators.
Note: Make sure you have read the "Guidelines" on the previous page.
Filter expression for this Criteria by which threat intelligence will be filtered to the destination. If
destination: you do not want to use a filter, leave this field blank. Example:
modified_ts > -14d.
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on
page 82 for indicators you can specify in the filter.
QRadar API
Guidelines
l Use the QRadar API integration point to configure new QRadar destinations. The QRadar (without
API) option is available but only supported for backward compatibility. Previously configured
QRadar (without API) destinations do not need to be reconfigured.
l ThreatStream Link must be installed on a different system than on which QRadar is installed.
l One ThreatStream Link installation can only support one QRadar destination.
l Do not use the same ThreatStream Link installation to serve indicators to QRadar, Palo Alto
Networks firewall, AccelOps, and RSA NetWitness destinations.
l For information about Anomali QRadar App and Security Content Pack, see the Anomali QRadar
App & Content Guide.
Integration Settings
You must configure these settings if you enter "qradar_api" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Note: This setting is only displayed if you are configuring QRadar versions 7.2.6
and 7.2.7.
Setting Description
QRadar Enter the authorization token that ThreatStream Link will use to run the API
authorization commands on the QRadar server.
token:
This token is generated on the QRadar server. Consult your product's documentation
for more information.
Indicators are downloaded in batches from ThreatStream Link to the QRadar server.
This setting specifies the number of indicators that will be downloaded in each batch.
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not
expression want to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82 for
destination:
indicators you can specify in the filter.
However, there may be situations after the first download when you want to clear all QRadar reference
sets and perform a full intelligence refresh.
Note: Performing a full intelligence refresh can take up to several hours. Therefore, use this option
with caution.
To clear all ThreatStream Reference Sets and force synchronize threat intelligence on your QRadar
system:
1. Stop the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
Service" on page 23.
./opticlink -r
You will be prompted to confirm the operation. Once you confirm, the operation proceeds and
clears the ThreatStream Reference Sets onQRadar. Once the operation has completed, go to the
next step.
3. Start ThreatStream Link as described in "Starting and Stopping ThreatStream Link Service" on
page 23.
A full refresh of the threat intelligence is performed at the next update time interval, as specified for
your ThreatStream Link.
QRadar (Deprecated)
Instead of using this QRadar integration point, use the QRadar API integration point to configure new
QRadar destinations. The QRadar (without API) option is available but only supported for backward
compatibility. Previously configured QRadar (without API) destinations do not need to be reconfigured.
Integration Settings
You must configure these settings if you enter "qradar" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Note: ThreatStream Link communicates with the QRadar destination using command line when
this option is selected. This implementation is deprecated as of ThreatStream Link v5.1, and is
only supported for backward compatibility. Use QRadar API to set up a new QRadar destination.
Setting Description
QRadar Default:7.2
version:
Version of QRadar running in your network environment. Use the value 7.2 for
both, versions 7.2.2 and 7.2.3.
You will need to create an SSHkey pair that ThreatStream Link will use to
connect to QRadar. Specify the location of the SSH key pair. See "SSH Key Pair
Generation" on page 92 for more information about setting up an SSHkey pair.
RSA NetWitness
Guidelines
l Configure ThreatStream Link to run as a service to ensure that the HTTPserver is always available
for RSA NetWitness to download indicators from ThreatStream Link.
l Do not use the sameThreatStream Link installation to serve indicators to QRadar API, Palo Alto
Networks firewall, AccelOps, and RSANetWitness destinations.
l RSA NetWitness integration with ThreatStream Link requires about 40 GBof disk space on the
ThreatStream Link system. Make sure that the ThreatStream Link system is provisioned for
sufficient disk space.
Integration Settings
You must configure these settings if you enter "rsa" as the response for "Which product(s) would you
like to integrate with:" question during the ThreatStream Link installation.
Setting Description
RSA Default:10.4
version:
Version of RSA with which you want to integrate. Version 10.5 is also supported.
Delimiter Default:|
for CSV
Delimiter character for parsing data from the threat intelligence data files.
files
The specified pipe (|) character is used as a field separator in the CSV files created on
ThreatStream Link from which RSA NetWitness will obtain threat intelligence.
Although you can specify any character of your choice, Anomali recommends using
the default value (|).
Webserver Default:8789
port:
Port on which HTTP connection to ThreatStream Link should be established from
RSA NetWitness .
Enable Default: No
SSL
Anomali recommends using the default value.
Setting Description
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not want
expression to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82 for
destination:
indicators you can specify in the filter.
To enable your RSA NetWitness platform to start receiving threat intelligence feeds from ThreatStream
Link, you must do the following:
l Download the ThreatStream content pack from the Downloads page of the ThreatStream platform.
Unzip the package to access these files:
n RSA_TS_Plugin.txt
n ThreatStreamRules.zip
n ThreatStreamReports.zip
n tsdomain.xml
n tshash.xml
n tsurl.xml
n tsip.xml
n tsemail.xml
l Install the Anomali plug-in for RSA for context menu actions. See "Install the ThreatStream Plug-in"
on the next page.
l Create ThreatStream feeds for all five Indicator of compromise (IOC)types on the RSA NetWitness
platform. See "Creating ThreatStream Feeds on RSA NetWitness " on the next page
l Deploy the Anomali RSAcontent package that creates rules and reports.
1. Log in to the NetWitness platform as a user who has privileges to install a plug-in.
2. Open the RSA_TS_Plugin.txt file you downloaded earlier using a text editor such as Notepad.
Copy the contents of this file.
3. Click Dashboard > Administration > System > Context Menu Actions.
6. Click OK.
Note: Remember to allow ThreatStream Link to run at least 24 hours before you configure RSA
NetWitness to receive feeds from ThreatStream Link.
1. Log in to the NetWitness platform as a user who has privileges to create Live Feeds.
Feed Task Whether the feed will be refreshed on demand or on a recurring basis.
Type
Select Recurring.
URL URLto which RSA NetWitness will make an HTTPor HTTPS connection
to ThreatStream Link.
where CSV_file_name is
o threatstream_rsa_domain.csv
o threatstream_rsa_hash.csv
o threatstream_rsa_url.csv
o threatstream_rsa_ip.csv
o threatstream_rsa_email.csv
NOTE: Click Verify to ensure RSA NetWitness can access the URL.
Recur Every How frequently RSA NetWitness will poll ThreatStream Link for updates.
Enter 1 hour
Advanced Browse to access the .xml files that were included in the content pack that
Options you downloaded earlier.
Depending on the feed you are configuring, select one of the following:
o tsdomain.xml
o tshash.xml
o tsurl.xml
o tsip.xml
o tsemail.xml
d. Click Next.
f. Click Finish.
Once successfully configured, the five streams will be listed in the Feeds section as shown in
the following figure.
To create rules:
1. Log in to the NetWitness platform as a user who has privileges to create rules and reports.
3. Click Rules.
5. Click Browse and locate the ThreatStreamRules.zip file that you downloaded earlier.
6. Click Import.
To create reports:
1. Log in to the NetWitness platform as a user who has privileges to create rules and reports.
3. Click Reports.
5. Click Browse and locate the ThreatStreamReports.zip file that you downloaded earlier.
6. Click Import.
Splunk
Guidelines
Splunk Add On with SplunkESversion 4.x
If you are integrating with Splunk add on deployed on a Splunk server running ESversion 4.x, make
sure the ThreatStream Link can access port 8089 on that Splunk server.
If you had set up multiple unique destinations for a previous ThreatStream Link release even though all
search head nodes use the same credentials, the destinations are preserved when you upgrade to this
ThreatStream Link release. You can continue using the multiple destination setup; or delete those
destinations and configure one destination for all search head nodes in the cluster.
Additionally, the ThreatStream Link service must be configured to run as the user who is installing
ThreatStream Link; otherwise, the threat intelligence copy to the shared folder will fail as shown in the
following example.
Integration Settings
You must configure these settings if you enter "splunk" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Version of Splunk that you want to integrate. Versions 6.1, 6.2, 6.3, and 6.4 are
supported.
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this destination not want to use a filter, leave this field blank. Example: modified_ts > -14d.
(blank for no
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
filter):
for indicators you can specify in the filter.
Specify whether you are integrating Splunk App or Splunk add on.
Is Splunk Yes or No
deployed on
Default: No
Windows:
Whether your Splunk instance is installed on a Windows platform.
(if you are
integrating with
Splunk App)
Settings for all versions of Splunk App and Splunk add on with Splunk ES version 3.x
Setting Description
For Windows:
l If you have a search head cluster and want to push intelligence to all
members of the cluster, comma-separate the paths to the folders on all
members of the cluster. For example, \\abc-pc1\threatstream,\\abc-
pc2\threatstream,\\192.168.10.42\threatstream
l Make sure that you have shared the folder you specified in the Splunk
ThreatStream abolute path setting, as shown in the following example. The
folder must be shared with the user that you are using to install
ThreatStream Link. If Splunk is installed on a Windows cluster and you want
to push threat intelligence to all members of the cluster, make sure that you
have shared folders on all members of the cluster.
Setting Description
SSHSettings If you enter a value other than default (localhost)in the "Splunk deployment
(only displayed server, search heard or cluster hosts" setting, you are prompted to enter the
when following SSH settings. Since these settings are not meaningful if your Splunk
ThreatStream is installed on a Windows system, make sure you always enter the default
Link is installed value (localhost)in the previous setting for Windows.
remotely on a
When ThreatStream Link is remote and Splunk is installed on aUnix-based
Unix-based
platform, enter the following settings:
platform)
l SSHport: Default: 22; Enter the SSHport for the Splunk machine.
Select "public key" if you want to utilize SSH key pair for authentication.
See "SSH Key Pair Generation" on page 92 for more information about
setting up an SSHkey pair.
Select "password" if you will use user name and password for authenticating
with Splunk.
l SSHuser: Default: root; Enter the user name to use for connecting to
Splunk.
n If you selected password, enter the password for the SSH user.
Splunk APIuser: User name ThreatStream Link will use to connect to Splunk to make the
APIconnection.
Setting Description
Syslog
Integration Settings
You must configure these settings if you enter "syslog" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Syslog Name or IPaddress of the host to which ThreatStream intelligence will be downloaded.
host:
Tanium
Integration Settings
Threat intelligence from ThreatStream to Tanium IOCFunnel and IOCDetect contains IP, domain, and
MD5-based indicators.
You must configure these settings if you enter "tanium" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
Tanium
IOC Funnel
port: (for
6.2)
Tanium Host name or IPaddress of Tanium server (for 6.5) or the IOCFunnel (for 6.2).
hostname:
Tanium User name for connecting to the Tanium server (for 6.5) or the IOC Funnel (for 6.2).
user:
Setting Description
Maximum Default: 50
number of
Maximum number of indicators that will be downloaded. The indicators are
indicators:
downloaded automatically based on the schedule you specify during the ThreatStream
Link installation.
For Tanium 6.2, you must upload the indicators from the IOC Funnel to the Tanium
server based on your need.
Tags Specify the tags that must be associated with an indicator for it to be downloaded.
associated
The tags are set on the ThreatStream platform and are strings that are associated with
with
an indicator for additional context.
indicators
The IOC Funnel and IOCDetect impose a limit on the number of indicators that can be
forwarded to it. By tagging indicators (in ThreatStream) that you are most interested in,
you can limit the number of indicators that get forwarded to them. Use a combination
of Tags and ThreatStream Link filtering to pare down the number of indicators that will
be forwarded.
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not want
expression to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82 for
destination:
indicators you can specify in the filter.
Field Operators
The following table lists the operators available for each field type.
Note: ~ is a regex match operator. Use this operator in conjunction with the type
fields to find specific indicators. For example, value ~
".*maliciousdomain.com$" AND type=domain, will match the indicators
whose itype ends with maliciousdomain.com
Simple expressions (queries) can be joined using logical operatorsAND, OR, NOTto form
complex expressions.
Fields
This section lists the fields that you can use for defining source and destination filters for ThreatStream
Link and the values that can be associated with these fields.
l Not all fields available on ThreatStream are supported for ThreatStream Link filters.
To configure a source filter or destination filter onThreatStream Link, use the fields listed in the
first column (5.1 and later Field) of the following table. All fields except feed_group in a
destination filter can be used.
l If you have a pre-existing source filter that was configured prior to ThreatStream Link version 5.1,
the source filter is based the fields listed in the second column (Pre-v5.1 Field) because the fields in
the first column (5.1 and laterField) were not supported then. Source filters based on the second
column continue to work with all releases of ThreatStream Link and do not need to be migrated.
However, if you are configuring a new source filter, Anomali recommends that you use the
fields listed in the first column, 5.1 (and later) Field.
l When creating a new source filter, do not mix the fields from the first and second columns. Doing
so may result in unexpected behavior.
l If you need to modify an existing source filter, rewrite it using the new fields.
Pre-v5.1 Field
5.1 (and (for backward
later)Field compatibility) Type Description
created_ts date_first Date Time stamp of when the indicator was first
created in ThreatStream.
Pre-v5.1 Field
5.1 (and (for backward
later)Field compatibility) Type Description
modified_ts date_last Date Time stamp of when the indicator was last
updated in ThreatStream.
value domain String Pre-5.1: Domain indicator type and its value.
For example, domain="maliciousdomain.com".
Pre-v5.1 Field
5.1 (and (for backward
later)Field compatibility) Type Description
value email String Pre-5.1: Email indicator type and its value. For
example, email="foo@maliciousdomain.com".
value md5 String Pre-5.1: MD5 indicator type and its value. For
example,
md5="1525efe350bc16bec22ebae99722798a".
severity severity String Criticality associated with the threat feed that
supplied the indicator.
Pre-v5.1 Field
5.1 (and (for backward
later)Field compatibility) Type Description
stream_id source_feed_id Numeric ID of the threat feed that created the indicator
on ThreatStream.
value url String Pre-5.1: URLindicator type and its value. For
example, url="http://www.google.com".
Infoblox Domain
Palo Alto IP
Networks
apt_subject APT Subject Line itype="apt_subject " Email subject line used
by a known Advanced
Persistent Threat
(APT) actor.
apt_ua APT User Agent itype="apt_ua " User agent string used
by a known Advanced
Persistent Threat
(APT) actor.
mal_ua Malware User Agent itype="mal_ua " User agent string used
by malware sample
when communicating
via HTTP.
ssh-keygen -t RSA
3. Enter this command to copy the public key you just created:
cat ~/.ssh/id_rsa.pub
4. Copy the key starting at the ssh-rsa until the end of the single line. Make sure that you copy the
entire line.
mkdir ~/.ssh
echo <the key you copied in the previous procedure> >> ~/.ssh/authorized_keys
l Click contact the documentation team to send an email. If you have an email client configured on
this system, an email window will open with the following information in the subject line: