Overview
The Security Flow IBM X-Force Plugin provides Incident enrichment with threat intelligence from the X-Force API.
Functionality
The X-Force Plugin provides the functionality to gather threat intelligence on domains, hashes, IP addresses, and URLs.
Instance Configuration Parameters
Name for the X-Force instance.
API Key used to access IBM X-Force.
API Password created when first generating the API Key.
Flow Node
The display name of the node within the flows.
ID of the OpenDXL Fabric used for communication with the adapter.
The desired operation to take with X-Force.
- Search Within: Determines the report(s) to run based on a search of the contents within the
Search Within
field. For example, if the supplied value ispayload.ioc
and the contents at that location are as follows,{ "domain": "baddomain.com", "url": "https://baddomain.com/path/to/file" }
a domain report and url report will be run.
- Domain Report: Used to request a report on the supplied domain.
- File Report: Used to request a report on the supplied file hash. The file hash can be any of the following hashes: MD5, SHA-1, or SHA-256.
- IP Address Report: Used to request a report on the supplied IP Address.
- URL Report: Used to request a report on the supplied URL.
This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the action. Additionally, the node context can also be changed. The following contexts are supported:
- msg.: This selects part of the incoming message as the source of the data. This is typical choice.
- flow.: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
- global.: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
- J: expression: JSONata expression language to perform query and transform operations on the payload.
NL-Message-Analysis
node instead.
Helper node used to classify an Indicator of Compromise (IoC)
from an IBM X-Force report as trusted or malicious based on the
report.
This node takes as input the successful response from
the NL X Force
node or the
NL Broadcast Gather Threat Intelligence
node.
Per Severity levels for IBM X-Force security signatures, the basic severity levels for X-Force are broken up into these ranges:
- Low: 0.0-3.9
- Medium: 4.0-6.9
- High: 7.0-10
result.score
.
Report analysis nodes have five (5) outputs.
- Malicious: The
Malicious Score
matched the Indicator of Compromise's score. - Trusted: The
Trusted Score
matched the Indicator of Compromise's score. - No Match: The rules did not match the IoC as either trusted or malicious.
- Report Missing: The incoming message did not include a report for X-Force.
- Report Error: A report exists with an error message of some type.
The display name of the node within the flows.
Any score matching the defined Malicious Score
level is considered a malicious IoC. Malicious score checks are done against one of the selected ranges.
- Low (>= 1.0)
- Low (>= 2.0)
- Low (>= 3.0)
- Medium (>= 4.0)
- Medium (>= 5.0)
- Medium (>= 6.0)
- High (>= 7.0)
- High (>= 8.0)
- High (>= 9.0)
- High (== 10.0)
Any score matching the defined Trusted Score
level is considered a trusted IoC. This field can be set to Never
to never consider an IoC trusted. Trusted score checks are done against one of the selected ranges.
- Never
- Low (< 0.1)
- Low (< 1.0)
- Low (< 2.0)
- Low (< 3.0)
- Low (< 4.0)
- Medium (< 5.0)
- Medium (< 6.0)
- Medium (< 7.0)
For hashes, no score is returned, but a risk string is found within the response at malware.risk
. The risk can be one of the following values:
- low
- medium
- high
Multiple Malicious Hash
values may be selected to treat a file hash as malicious. If no values are selected, no match will be made.
If checked, a missing report audit message will be added to the Incident’s timeline.
Learn More
JSON Message Format
The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the xforce object.
URL Report Success
The italicized, green text is inserted into the message payload upon a successful request. For this example an URL report was requested for www.google.com.
"payload": {
"xforce":{
"topic":"/nevelexlabs/service/xforce/restapi",
"response":{
"tags":[
],
"result":{
"url":"www.google.com",
"cats":{
"Search Engines / Web Catalogues / Portals":true
},
"score":1,
"categoryDescriptions":{
"Search Engines / Web Catalogues / Portals":"This category contains search engines, Web catalogues and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories."
}
},
"associated":[
{
"url":"google.com",
"cats":{
"Search Engines / Web Catalogues / Portals":true
},
"score":1,
"categoryDescriptions":{
"Search Engines / Web Catalogues / Portals":"This category contains search engines, Web catalogues and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories."
}
}
]
}
}
}
IP Report Success
The italicized, green text is inserted into the message payload upon a successful request. For this example an IP report was requested for ip address 8.8.8.8.
"payload": {
"xforce":{
"topic":"/nevelexlabs/service/xforce/restapi",
"response":{
"ip":"8.8.8.8",
"geo":{
"country":"United States",
"countrycode":"US"
},
"cats":{
},
"tags":[
],
"score":1,
"reason":"Third party feed",
"history":[
{
"ip":"8.0.0.0/8",
"geo":{
"country":"United States",
"countrycode":"US"
},
"cats":{
},
"score":1,
"reason":"Regional Internet Registry",
"created":"2012-03-22T07:26:00.000Z",
"reasonDescription":"One of the five RIRs announced a (new) location mapping of the IP.",
"categoryDescriptions":{
}
},
{
"ip":"8.8.8.8/32",
"geo":{
"country":"United States",
"countrycode":"US"
},
"cats":{
"Anonymisation Services":57
},
"score":5.7,
"reason":"Content found on multihoster",
"created":"2012-04-26T00:34:00.000Z",
"reasonDescription":"At least one of the websites that is hosted on this IP address contains content of the aforementioned category.",
"categoryDescriptions":{
"Anonymisation Services":"This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration)."
}
},
...
}
}
}
}
File Hash Report Success
The italicized, green text is inserted into the message payload upon a successful request.
"payload": {
"xforce":{
"topic":"/nevelexlabs/service/xforce/restapi",
"response":{
"tags":[
],
"malware":{
"md5":"0x474B9CCF5AB9D72CA8A333889BBB34F0",
"hash":"0x474B9CCF5AB9D72CA8A333889BBB34F0",
"risk":"high",
"type":"md5",
"family":[
"tsunami"
],
"created":"2014-10-20T23:19:00Z",
"origins":{
"emails":{
},
"external":{
"family":[
"heuristic",
"trojan"
],
"detectionCoverage":44
},
"subjects":{
},
"CnCServers":{
"rows":[
{
"ip":"61.255.239.86",
"md5":"474B9CCF5AB9D72CA8A333889BBB34F0",
"uri":"http://pc-guard.net/v.html",
"type":"CnC",
"count":483,
"domain":"pc-guard.net",
"origin":"CnC",
"schema":"http",
"filepath":"v.html",
"lastseen":"2014-10-20T23:19:00Z",
"firstseen":"2014-10-20T23:19:00Z"
}
],
"count":1
},
"downloadServers":{
}
},
"familyMembers":{
"tsunami":{
"count":61
}
}
}
}
}
}
}
Error
The italicized, maroon text is inserted into the message payload upon a failed request.
"payload": {
"xforce":{
"error":{
"error_code":5,
"error_message":"Bad Response Code: 404, Method: malware/E74B9CCF5AB9D72CA8A333889BBB34F0, Params: {}"
},
"topic":"/nevelexlabs/service/xforce/restapi"
}
}
Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921
©Nevelex Labs, LLC. 2018-2024, All Rights Reserved.
EULA