×
X-Force

Overview

The Security Flow X-Force Plugin provides Incident enrichment with threat intelligence from the X-Force API.

Functionality

The X-Force Plugin provides the functionality to gather threat intelligence on domains, hashes, IP addresses, and URLs.

Instance Configuration Parameters

Property
Description

Instance Name

Name for the X-Force instance.


Api Key

Api Key used to access IBM X-Force.


Api Password

Api Password created when
first generating the Api Key.

Flow Node

Communication node which controls the Nevelex Labs OpenDXL X-Force Plugin Instance according to the specified node configuration.
Property
Description

Name

The display name of the node within the flows.


OpenDXL Fabric

ID of the OpenDXL Fabric used for communication with the adapter.


Action

The desired operation to take with X-Force.

  • Search Within: Determines the report(s) to run based on a search of the contents within the Search Within field. For example, if the supplied value is payload.ioc and the contents at that location are as follows,
    {
    	"domain": "baddomain.com",
    	"url": "https://baddomain.com/path/to/file"
    }

    a domain report and url report will be run.

  • Domain Report: Used to request a report on the supplied domain.
  • File Report: Used to request a report on the supplied file hash. The file hash can be any of the following hashes: MD5, SHA-1, or SHA-256.
  • IP Address Report: Used to request a report on the supplied IP Address.
  • URL Report: Used to request a report on the supplied URL.

Domain/File Hash/IP Address/URL

This field defines the location from the message, flow, global, or JavaScript expression to use as the data source for the action. Additionally, the node context can also be changed. The following contexts are supported:

  • msg.: This selects part of the incoming message as the source of the data. This is typical choice.
  • flow.: This selects part of the flow context’s saved data as the source. This information is shared with only the nodes on a given tab.
  • global.: This selects part of the global context’s saved data as the source. This information is shared by all nodes regardless of tab.
  • J: expression: JSONata expression language to perform query and transform operations on the payload.

Helper node used to classify an Indicator of Compromise (IoC) from an IBM X-Force report as trusted or malicious based on the report. This node takes as input the successful response from the NL X Force node or the NL Broadcast Gather Threat Intelligence node.

Per Severity levels for IBM X-Force security signatures, the basic severity levels for X-Force are broken up into these ranges:

  • Low: 0.0-3.9
  • Medium: 4.0-6.9
  • High: 7.0-10
For the URL, Domain, and IP reports, the score field is found within the response at result.score.

Report analysis nodes have five (5) outputs.

  1. Malicious: The Malicious Score matched the Indicator of Compromise's score.
  2. Trusted: The Trusted Score matched the Indicator of Compromise's score.
  3. No Match: The rules did not match the IoC as either trusted or malicious.
  4. Report Missing: The incoming message did not include a report for X-Force.
  5. Report Error: A report exists with an error message of some type.

Property
Description

Name

The display name of the node within the flows.


Malicious Score

Any score matching the defined Malicious Score level is considered a malicious IoC. Malicious score checks are done against one of the selected ranges.

  • Low (>= 1.0)
  • Low (>= 2.0)
  • Low (>= 3.0)
  • Medium (>= 4.0)
  • Medium (>= 5.0)
  • Medium (>= 6.0)
  • High (>= 7.0)
  • High (>= 8.0)
  • High (>= 9.0)
  • High (== 10.0)

Trusted Score

Any score matching the defined Trusted Score level is considered a trusted IoC. This field can be set to Never to never consider an IoC trusted. Trusted score checks are done against one of the selected ranges.

  • Never
  • Low (< 0.1)
  • Low (< 1.0)
  • Low (< 2.0)
  • Low (< 3.0)
  • Low (< 4.0)
  • Medium (< 5.0)
  • Medium (< 6.0)
  • Medium (< 7.0)

Malicious Hash

For hashes, no score is returned, but a risk string is found within the response at malware.risk. The risk can be one of the following values:

  • low
  • medium
  • high

Multiple Malicious Hash values may be selected to treat a file hash as malicious. If no values are selected, no match will be made.


Audit Missing Report

If checked, a missing report audit message will be added to the Incident’s timeline.

Learn More

JSON Message Format

The following samples show the JSON content added to the message payload, which conform to Node Messaging Format. The content exists within the xforce object.

URL Report Success

The italicized, green text is inserted into the message payload upon a successful request. For this example an URL report was requested for www.google.com.

"payload": {
    "xforce":{
        "topic":"/nevelexlabs/service/xforce/restapi",
        "response":{
            "tags":[

            ],
            "result":{
                "url":"www.google.com",
                "cats":{
                    "Search Engines / Web Catalogues / Portals":true
                },
                "score":1,
                "categoryDescriptions":{
                    "Search Engines / Web Catalogues / Portals":"This category contains search engines, Web catalogues and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories."
                }
            },
            "associated":[
                {
                    "url":"google.com",
                    "cats":{
                        "Search Engines / Web Catalogues / Portals":true
                    },
                    "score":1,
                    "categoryDescriptions":{
                        "Search Engines / Web Catalogues / Portals":"This category contains search engines, Web catalogues and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories."
                    }
                }
            ]
        }
    }
}

IP Report Success

The italicized, green text is inserted into the message payload upon a successful request. For this example an IP report was requested for ip address 8.8.8.8.

"payload": {
    "xforce":{
        "topic":"/nevelexlabs/service/xforce/restapi",
        "response":{
            "ip":"8.8.8.8",
            "geo":{
                "country":"United States",
                "countrycode":"US"
            },
            "cats":{

            },
            "tags":[

            ],
            "score":1,
            "reason":"Third party feed",
            "history":[
                {
                    "ip":"8.0.0.0/8",
                    "geo":{
                        "country":"United States",
                        "countrycode":"US"
                    },
                    "cats":{

                    },
                    "score":1,
                    "reason":"Regional Internet Registry",
                    "created":"2012-03-22T07:26:00.000Z",
                    "reasonDescription":"One of the five RIRs announced a (new) location mapping of the IP.",
                    "categoryDescriptions":{

                    }
                },
                {
                    "ip":"8.8.8.8/32",
                    "geo":{
                        "country":"United States",
                        "countrycode":"US"
                    },
                    "cats":{
                        "Anonymisation Services":57
                    },
                    "score":5.7,
                    "reason":"Content found on multihoster",
                    "created":"2012-04-26T00:34:00.000Z",
                    "reasonDescription":"At least one of the websites that is hosted on this IP address contains content of the aforementioned category.",
                    "categoryDescriptions":{
                        "Anonymisation Services":"This category contains IP addresses of Web proxies (websites that allow the user to anonymously view websites). Furthermore, IP addresses are listed that can be used directly to surf anonymously (e.g. by adding them to the browser configuration)."
                    }
                },
...
            }
        }
    }
}

File Hash Report Success

The italicized, green text is inserted into the message payload upon a successful request.

"payload": {
    "xforce":{
            "topic":"/nevelexlabs/service/xforce/restapi",
            "response":{
                "tags":[

                ],
                "malware":{
                    "md5":"0x474B9CCF5AB9D72CA8A333889BBB34F0",
                    "hash":"0x474B9CCF5AB9D72CA8A333889BBB34F0",
                    "risk":"high",
                    "type":"md5",
                    "family":[
                        "tsunami"
                    ],
                    "created":"2014-10-20T23:19:00Z",
                    "origins":{
                        "emails":{

                        },
                        "external":{
                            "family":[
                                "heuristic",
                                "trojan"
                            ],
                            "detectionCoverage":44
                        },
                        "subjects":{

                        },
                        "CnCServers":{
                            "rows":[
                                {
                                    "ip":"61.255.239.86",
                                    "md5":"474B9CCF5AB9D72CA8A333889BBB34F0",
                                    "uri":"http://pc-guard.net/v.html",
                                    "type":"CnC",
                                    "count":483,
                                    "domain":"pc-guard.net",
                                    "origin":"CnC",
                                    "schema":"http",
                                    "filepath":"v.html",
                                    "lastseen":"2014-10-20T23:19:00Z",
                                    "firstseen":"2014-10-20T23:19:00Z"
                                }
                            ],
                            "count":1
                        },
                        "downloadServers":{

                        }
                    },
                    "familyMembers":{
                        "tsunami":{
                            "count":61
                        }
                    }
                }
            }
        }
    }
}

Error

The italicized, maroon text is inserted into the message payload upon a failed request.

"payload": {
    "xforce":{
        "error":{
            "error_code":5,
            "error_message":"Bad Response Code: 404, Method: malware/E74B9CCF5AB9D72CA8A333889BBB34F0, Params: {}"
        },
        "topic":"/nevelexlabs/service/xforce/restapi"
    }

}
Nevelex Labs, Main Office

Metro Office Park
2950 Metro Drive, Suite 104
Bloomington, MN 55425
Phone: +1 952-500-8921

©Nevelex Labs, LLC. 2018-2021, All Rights Reserved.

EULA