Anomali ThreatStream

Anomali ThreatStream Link
Installation Guide
Version: 5.3.5
November 16, 2016

Copyright Notice
2016 Anomali, Inc. All rights reserved.
ThreatStream is a registered servicemark. Optic, Anomali Harmony, and Anomali Report are registered trademarks.
All other brands, products, and company names used herein may be trademarks of their respective owners.
Support
Support Portal https://support.anomali.com
Email support@anomali.com
Phone +1 844-4-THREATS
Twitter @anomali
Documentation Updates
Date Product Version Description
11/16/2016 5.3.5 5.3.5 release.
10/12/2016 5.3.4 5.3.4 release.
8/31/2016 5.3.3 5.3.3 release.
8/12/2016 5.3.2 5.3.2 release.
7/27/2016 5.3.1 5.3.1 release.
6/30/2016 5.3 5.3 release.
4/18/2016 5.2.2 5.2.2 release. Bug fixes only.
3/20/2016 5.2.1 5.2.1 release.
1/14/2016 5.2 5.2 release.
12/16/2015 5.1.3 5.1.3 release.
10/28/2015 5.1.2 Added support for Windows

ThreatStream Link for Optic Appliance
and other integration updates
10/7/15 5.1.1 5.1 Patch release.
8/12/15 5.1 5.1 release.
Anomali ThreatStream Link (5.3.5) Page 2 of 94

CONTENTS
Chapter 1: Introduction 5
About Integrating With ThreatStream Appliance 6
Available Integrations 6
Chapter 2: Installing and Upgrading ThreatStream Link 8

About Installing ThreatStream Link 8
About Upgrading ThreatStream Link 8
System Requirements 9
Prerequisites 9
Support Matrix 9
Downloading ThreatStream Link 10
Installing ThreatStream Link on Linux 11
Installing ThreatStream Link on Windows 17
Starting and Stopping ThreatStream Link Service 23
Rerunning ThreatStream Link Setup 24
Uninstalling ThreatStream Link 24
Chapter 3: Configuring Filters 26

Understanding Filters 26
Specifying Filters 27
Troubleshooting Filters 28
Appendix A: ThreatStream Link Integrations 29

AccelOps 30
ArcSight ESM 37
Carbon Black 38
BroIntel 43
CEF 44
Cloudera Impala 45
CrowdStrike 47
CSV 48

Installation Guide
Hadoop Hive 49
Infoblox 51
LogRhythm 53
NitroSecurity 54
Palo Alto Networks 55
QRadar API 57
Force Synchronizing IOC Update 58
QRadar (Deprecated) 60
RSA NetWitness 61
Splunk 67
Syslog 72
Tanium 73
Appendix C: Fields for Filtering 75

Field Operators 75
Fields 75
Appendix D: Supported Indicator Types for Integration Destinations 80
Appendix E: Indicator Types 82
Appendix F: SSH Key Pair Generation 92
Send Documentation Feedback 94

Chapter 1: Introduction
This chapter provides an overview of ThreatStream Link and covers these topics:
About Integrating With ThreatStream Appliance 6
Available Integrations 6
Anomali ThreatStream Link is the software for integrating your existing security infrastructure to
Anomali's ThreatStream platform (in the cloud) or to the on-premise ThreatStream Appliance.
ThreatStream Link connects to the ThreatStream platform or the ThreatStream Appliance and pulls
rich, cyber threat intelligence feeds into existing tools and infrastructure thus bringing real-time
intelligence into your existing security solutions to provide operational efficiency and relevancy to
current security technologies. It can output this data in many formats such as CSV, Syslog, and
Common Event Format (CEF), and can also directly integrate with security solutions in your network.
In most cases, ThreatStream Link pushes threat intelligence into your existing security solutions.
However, for security products that support pulling information from other sources, ThreatStream Link
can be configured to serve threat intelligence.
The following illustration shows how ThreatStream Link integrates the ThreatStream cloud platform
with your existing security solutions:

Installation Guide
The following illustration shows how ThreatStream Link integrates the ThreatStream Appliance with
your existing security solutions:
About Integrating With ThreatStream

Appliance
A ThreatStream Link instance, communicating with a ThreatStream Appliance, functions exactly
similar to a ThreatStream Link that communicates with the ThreatStream cloud. However, instead of
receiving threat intelligence from the ThreatStream cloud, it receives the intelligence from the
Appliance. Because the Appliance is an on-premise repository for your private intelligence and all public
intelligence (received from the ThreatStream cloud), when ThreatStream Link communicates with
ThreatStream Appliance, it downloads all public and private intelligence from it instead of the
ThreatStream cloud.
Available Integrations
As of this release, ThreatStream Link can forward threat intelligence to the following products. See
"Supported Indicator Types for Integration Destinations" on page 80 for supported indicator types for

Installation Guide
each integration destination.
Product Class Product
SIEM ArcSight ESM
Splunk
QRadar
NitroSecurity
LogRhythm
AccelOps
RSA NetWitness
Bro_intel (in beta)
Firewalls Palo Alto Networks
Endpoint Security Carbon Black, Tanium, CrowdStrike
Hadoop Cloudera Impala, Hadoop Hive
DNS Infoblox
Any product that can use threat intelligence in CSV, CEF, or Syslog format

Chapter 2: Installing and Upgrading
ThreatStream Link
This chapter describes how to install ThreatStream Link on Windows and Linux platforms. The
following topics are discussed here:
About Installing ThreatStream Link 8
About Upgrading ThreatStream Link 8
System Requirements 9
Prerequisites 9
Downloading ThreatStream Link 10
Installing ThreatStream Link on Linux 11
Installing ThreatStream Link on Windows 17
Starting and Stopping ThreatStream Link Service 23
Rerunning ThreatStream Link Setup 24
Uninstalling ThreatStream Link 24
About Installing ThreatStream Link

For best performance, Anomali recommends installing ThreatStream Link on a dedicated system that
meets the system requirement listed in "System Requirements" on the next page and can access the
ThreatStream cloud or the ThreatStream appliance, depending upon your deployment.
A single instance of ThreatStream Link can connect to multiple destinations. For example, you can
install ThreatStream Link on a system in your network to provide feeds to multiple SIEM servers in your
network, as shown in the illustration on "Introduction" on page 5. However, a single instance of
ThreatStream Link must have one threat intelligence sourcethe ThreatStream cloud platform or the
ThreatStream appliance.
About Upgrading ThreatStream Link

Upgrade to 5.3.5 happens automatically if you have the "Update ThreatStream Link software when
upgrades become available" option during ThreatStream Link configuration set to Yes. You do not need
to do anything additional.

Installation Guide
Chapter 2: Installing and Upgrading ThreatStream Link
System Requirements
ThreatStream Link must be installed on a system that meets the requirements listed in the following
table. Not all ThreatStream Link sources and destinations are supported on all systems. See "System
Requirements" above for details.
Platform Specifications
Linux (64-bit) l Any RedHat, CentOS, Fedora, Ubuntu & Debian release, running kernel
version 2.6 or later
l SUSE Linux Enterprise 12
Windows (64-bit or l Server 2003

32-bit)
l Server 2008
l Server 2012
Prerequisites
l For using ThreatStream Link with the ThreatStream cloud platform:
n You must have a ThreatStream account to download and install ThreatStream Link. If you do not
have an account, register at https://ui.threatstream.com.
n The system on which ThreatStream Link will be installed must be able to access the Internet,
specifically the ThreatStream API at https://api.threatstream.com/.
l For using ThreatStream Link with the ThreatStream appliance:

n Access the ThreatStream Link installation package from the Downloads page of your appliance.
n The system on which ThreatStream Link will be installed must be able to make an HTTPS
connection to the appliance.
l Check the "ThreatStream Link Integrations" on page 29 section for requirements specific to the
destinations you will be configuring for ThreatStream Link.
Support Matrix
Use the following table to determine the supported platform for your ThreatStream Link integration.
ThreatStream Link Source/Destination Linux Windows
If the source for ThreatStream Link is...
Optic Appliance (source) Yes Yes
If the destination for ThreatStream Link is...

Installation Guide
ThreatStream Link Source/Destination Linux Windows
AccelOps Yes Yes
ArcSight ESM Yes Yes
Carbon Black Yes Yes
Bro_intel Yes Yes
Cloudera Impala Yes No
CrowdStrike Yes Yes
Hadoop Hive Yes Yes
Infoblox Yes Yes
LogRhythm No Yes
NitroSecurity Yes Yes
Palo Alto Networks Yes Yes
QRadarAPI Yes Yes
QRadar (deprecated) Yes No
RSA Yes Yes
Splunk Yes Yes
Tanium Yes Yes
Downloading ThreatStream Link

Follow these instructions to download the software.
Note:
l Refer to "System Requirements" on the previous page to ensure that you pick a supported
platform for your ThreatStream Link source or destination.
l The Optic Link-5.3.5.win32.msi file is applicable for both, 32-bit and 64-bit, versions of
Windows.

Installation Guide
To download the ThreatStream Link software:
1. If the ThreatStream Link source is the ThreatStream cloud: Log in to the ThreatStream platform at
https://ui.threatstream.com from a system on which you want to install ThreatStream Link.
If the ThreatStream Link source is the ThreatStream Appliance: Connect to your appliance's UI
from a system on which you want to install ThreatStream Link.
2. Click Downloads from the top menu.
The Downloads page opens.
3. Double click the APIKey and copy it.
You will need this key later to finish the installation.
4. In the ThreatStream Link section, click the platform (Windows or Linux) for which you want to
download the ThreatStream Link installation software.
The installation files for the platform you chose (.msi for Windows and .bin for Linux) are
downloaded to your system.
Installing ThreatStream Link on Linux

Note: You must be logged in as root to install ThreatStream Link on Linux.
Follow these steps to install ThreatStream Link on Linux:
1. Ensure that the .bin installation file you downloaded earlier is located on the Linux server.
2. Enter this command to change the mode of the installation file:
chmod +x opticlink_5.3.5_linux64.nnn.bin
where nnn is the build number.
3. If the ThreatStream Link source will be the ThreatStream cloud, enter this command:
./opticlink_5.3.5_linux64.nnn.bin
If ThreatStream Link source will be ThreatStream Appliance, enter this command:
./opticlink_5.3.5_linux64.nnn.bin -- -a https://appliance
where appliance is the IPaddress or the fully qualified domain name (FQDN)of the ThreatStream
appliance, and nnn is the build number.
4. Step through the configuration wizard and enter the following information.

Installation Guide
ThreatStream Settings
Enter ThreatStream Link Directory or folder where you want to install ThreatStream Link.
installation directory For example, /opt/threatstream_link or c:\program files(x86)
\anomali\threatstream_link.
ThreatStream user name User name for the account to use for ThreatStream Link on the
ThreatStream platform or the ThreatStream appliancethe threat
intelligence feed source you are integrating with.
ThreatStream APIKey APIKey you copied when you downloaded ThreatStream Link.
Is this a fresh install? Yes or No
Default: Yes
Your response determines if ThreatStream Link will perform a

complete download of all threat intelligence and SIEM content.
Choose Yes, if this is the first time you are installing ThreatStream
Link on this system.
Choose No, if ThreatStream Link already exists on this system

and you are using this wizard to add or delete existing integration
destinations.
Do you want to use your Yes or No

Org's configured
whitelist? Default: Yes
A Whitelist is a list of domains, IP addresses, URLs, email

addresses, and CIDR subnets that are known good for your
organization.
This is the Whitelist configured in ThreatStream for the user name

with which you are connected to ThreatStream. To access the
Whitelist, click Settings > Import Whitelist.
Proxy Setting

Installation Guide
Enable proxy support: Yes or No
Default: No
If yes, enter the following additional information:
n Type of proxy: HTTP or NTLM; Default: HTTP
n Proxy server host name or IPaddress
n Port (on which the proxy server listens for connections)
n Does the proxy require authentication? Yes or No; Default: No
If yes, enter the user name and password needed to connect to

the proxy server. The credentials are obfuscated before they
are stored in the configuration file.
Configure Integration
What would you like to Add, Delete, or Done

do?
Default: Add, if no destination is configured.
Default: Done, if at least one destination is configured.
Specify whether you want to add or delete an integration

destination, or exit (Done) the Configure Integration wizard.

Installation Guide
Which product(s) would Depending on the product you select from the list, you are
you like to integrate with? prompted for settings relevant to that product. For example, if you
select Splunk, you are prompted to enter the Splunk version
number, the search head information, and so on.
See "ThreatStream Link Integrations" on page 29 for all the

settings and guidelines relevant to the product you are integrating.
Notes:
n The values are case sensitive and must be entered exactly as

specified in the list.
n You can add multiple products, iteratively, by entering "add"

until you are done adding all products.
n Support for destinations marked with an asterisk (*) in the

above list are in the beta stage.
ThreatStream Link Settings
Friendly name to track this Default: Hostname of the machine running ThreatStream Link.
installation
This name is used to identify specific configurations in the
opticlink.cfg file and is displayed under My Sensors on the
ThreatStream Dashboard.
Example: ESM_NY
Filter expression for Default: Blank

filtering threat intelligence
fromThreatStream You can define a source filter to tailor the threat feed to your
security and infrastructure needs. For example, you may be only
interested in IOCs with a confidence value of 70 or greater.
For more information about creating source filters, see

"Configuring Filters" on page 26.
Update ThreatStream Link Yes or No

software when upgrades
become available? Default: Yes
Recommended: Yes
Choosing Yes automatically upgrades your ThreatStream Link

installation when updates are available from Anomali.

Installation Guide
Update Optic content Yes or No

(rules/reports/dashboards)
on integrated products Default: Yes
Applicable to ArcSight Choosing Yes automatically updates content such as rules,

ESM only reports, and dashboards available from ThreatStream for your
destination.
This setting is displayed if you are adding ArcSight ESM as a

destination or if ArcSight ESMalready exists as a destination of
this ThreatStream Link installation.
Even if you are configuring another ThreatStream Link destination

at the moment, configure this setting to Yes. Doing so will ensure
that ESM will continue to receive updates from ThreatStream.
Enable My Attacks Yes or No
Applicable to ArcSight Default: Yes

ESM only
This setting controls whether ThreatStream Link periodically
collects information about IOCs that were matched in your
environment and sends it back to ThreatStream.


that ESM will continue to send information to ThreatStream.
Note: If you are not logged in a root (for Linux) or Run as administrator (for Windows), you
will not be prompted for the following settings.

Installation Guide
Install ThreatStream Link Yes or No

as a service?
Default: Yes
If you choose No, ensure that you use your system's

OSscheduling to run ThreatStream Link on a schedule.
For integrations such as Palo Alto Networks and Accel Ops, install
ThreatStream Link to run as a service to ensure that these
integration points can establish a connection with ThreatStream
Link to download indicators at any time.
Poll frequency for new Time interval with which ThreatStream Link should check with the
indicator/software/content ThreatStream service to pull updated threat intelligence and
software updates. For example, 5m (for 5 minutes), 1h (for one
hour), 1w (for one week).
Default: 1h
ThreatStream recommends using the default value or higher for an

optimum frequency of downloads from ThreatStream.
Unix user to run the Optic Default: root

Link process run as:
Specify the user name which will be used to run the ThreatStream
Link service.
5. The configuration values you specified are written to a configuration file. The following message is
displayed on your screen:
[2015-02-12 09:47:36,350] [INFO ] Writing config to /<install_dir>/opticlink.cfg
6. Start the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
Service" on page 23.
7. The following integrations require additional steps:
n Carbon Black
n AccelOps
n RSA NetWitness
See "ThreatStream Link Integrations" on page 29 to complete configuration for these integrations.

Installation Guide
Installing ThreatStream Link on Windows

Note: You must select the "Run as administrator" option on your Windows system to perform
the entire procedure below.
To install ThreatStream Link on Windows:
1. Double click the Optic Link-5.3.5.win32.nnn.msi file you downloaded to start the installation.
where nnn is the build number.
Note: The Windows installer does not require user interaction and automatically installs the Optic
Link software.
Once installation completes, confirm that the following directories and files exist:
n On a 32-bit system: c:\Program Files\Optic Link
n On a 64-bit system: c:\Program Files(x86)\Optic Link
n On Windows 2008 and Windows 2012: c:\programdata\Optic Link\opticlink.cfg
n On Windows 2003: c:\documents and settings\all users\application data\Optic

Link\opticlink.cfg
n Log file for all Windows platforms: c:\programdata\Optic Link\opticlink.log
2. If the ThreatStream Link source will be the ThreatStream cloud, enter this command:
opticlink_windows_service -s
If ThreatStream Link source will be ThreatStream Appliance, enter this command:
opticlink_windows_service.exe -s --appliance-url https://appliance_hostname_or_

IPaddress
3. Step through the configuration wizard and enter the following information.
Enter ThreatStream Link Directory or folder where you want to install ThreatStream Link.
installation directory For example, /opt/threatstream_link or c:\program files(x86)
\anomali\threatstream_link.
ThreatStream user name User name for the account to use for ThreatStream Link on the
ThreatStream platform or the ThreatStream appliancethe threat
intelligence feed source you are integrating with.

Installation Guide
ThreatStream APIKey APIKey you copied when you downloaded ThreatStream Link.
Is this a fresh install? Yes or No
Default: Yes
Your response determines if ThreatStream Link will perform a

complete download of all threat intelligence and SIEM content.
Choose Yes, if this is the first time you are installing ThreatStream
Link on this system.
Choose No, if ThreatStream Link already exists on this system

and you are using this wizard to add or delete existing integration
destinations.
Do you want to use your Yes or No

Org's configured
whitelist? Default: Yes
A Whitelist is a list of domains, IP addresses, URLs, email

addresses, and CIDR subnets that are known good for your
organization.
This is the Whitelist configured in ThreatStream for the user name

with which you are connected to ThreatStream. To access the
Whitelist, click Settings > Import Whitelist.
Proxy Setting

Installation Guide
Enable proxy support: Yes or No
Default: No
If yes, enter the following additional information:
n Type of proxy: HTTP or NTLM; Default: HTTP
n Proxy server host name or IPaddress
n Port (on which the proxy server listens for connections)
n Does the proxy require authentication? Yes or No; Default: No
If yes, enter the user name and password needed to connect to

the proxy server. The credentials are obfuscated before they
are stored in the configuration file.
Configure Integration
What would you like to Add, Delete, or Done

do?
Default: Add, if no destination is configured.
Default: Done, if at least one destination is configured.
Specify whether you want to add or delete an integration

destination, or exit (Done) the Configure Integration wizard.

Installation Guide
Which product(s) would Depending on the product you select from the list, you are
you like to integrate with? prompted for settings relevant to that product. For example, if you
select Splunk, you are prompted to enter the Splunk version
number, the search head information, and so on.
See "ThreatStream Link Integrations" on page 29 for all the

settings and guidelines relevant to the product you are integrating.
Notes:
n The values are case sensitive and must be entered exactly as

specified in the list.
n You can add multiple products, iteratively, by entering "add"

until you are done adding all products.
n Support for destinations marked with an asterisk (*) in the

above list are in the beta stage.
ThreatStream Link Settings
Friendly name to track this Default: Hostname of the machine running ThreatStream Link.
installation
This name is used to identify specific configurations in the
opticlink.cfg file and is displayed under My Sensors on the
ThreatStream Dashboard.
Example: ESM_NY
Filter expression for Default: Blank

filtering threat intelligence
fromThreatStream You can define a source filter to tailor the threat feed to your
security and infrastructure needs. For example, you may be only
interested in IOCs with a confidence value of 70 or greater.
For more information about creating source filters, see

"Configuring Filters" on page 26.
Update ThreatStream Link Yes or No

software when upgrades
become available? Default: Yes
Recommended: Yes
Choosing Yes automatically upgrades your ThreatStream Link

installation when updates are available from Anomali.

Installation Guide
Update Optic content Yes or No

(rules/reports/dashboards)
on integrated products Default: Yes
Applicable to ArcSight Choosing Yes automatically updates content such as rules,

ESM only reports, and dashboards available from ThreatStream for your
destination.


that ESM will continue to receive updates from ThreatStream.
Enable My Attacks Yes or No
Applicable to ArcSight Default: Yes

ESM only
This setting controls whether ThreatStream Link periodically
collects information about IOCs that were matched in your
environment and sends it back to ThreatStream.


that ESM will continue to send information to ThreatStream.
Note: If you are not logged in a root (for Linux) or Run as administrator (for Windows), you
will not be prompted for the following settings.
Install ThreatStream Link Yes or No

as a service?
Default: Yes
If you choose No, ensure that you use your system's

OSscheduling to run ThreatStream Link on a schedule.

Installation Guide
Poll frequency for new Time interval with which ThreatStream Link should check with the
indicator/software/content ThreatStream service to pull updated threat intelligence and
software updates. For example, 5m (for 5 minutes), 1h (for one
hour), 1w (for one week).
Default: 1h
ThreatStream recommends using the default value or higher for an

optimum frequency of downloads from ThreatStream.
4. The configuration values you specified are written to a configuration file. The following message is
displayed on your screen:
On Windows 2008 and Windows 2012:
[2015-02-12 09:47:36,350] [INFO ] Writing config to c:\programdata\Optic

Link\opticlink.cfg
On Windows 2003:
[2015-02-12 09:47:36,350] [INFO ] Writing config to c:\documents and

settings\all users\application data\OpticLink\opticlink.cfg
5. Enter the following command to install ThreatStream Link as a Windows service:
opticlink_windows_service install
Note: This step is essential even if you chose to install ThreatStream Link as a service during
the installation wizard. Make sure you have selected the "Run as administrator"option on the
Windows system when performing this step.
6. Start the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
Service" on the next page.
7. The following integrations require additional steps:
n Carbon Black
n AccelOps
n RSA NetWitness s
See "ThreatStream Link Integrations" on page 29 to complete configuration for these integrations.

Installation Guide
Starting and Stopping ThreatStream Link

Service
On Windows
Note:
l You must be logged in as a user with administrator privileges to start and stop ThreatStream
Link on Windows.
l If you are integrating with Splunk that is installed onWindows, make sure that the
ThreatStream Link service is configured to run as the user who is installing ThreatStream Link;
otherwise threat intelligence copy to the shared folders on Splunk will fail.
To start the ThreatStream Link service:
1. Open the services.msc file on your Windows system.
2. Locate ThreatStream Link in the list of services.
3. (Optional) Right click and select Properties and change the "Startup type" to Automatic to start
the service automatically.
4. Click Start to start the service.
To stop the ThreatStream Link service:
1. Open the services.msc file on your Windows system.
2. Locate ThreatStream Link in the list of services.
3. Click Stop to stop the service.
On Linux
Note: The following commands must be run as user root.
Start the service: /etc/init.d/opticlink start
Stop the service: /etc/init.d/opticlink stop

Installation Guide
Rerunning ThreatStream Link Setup

On Windows
To rerun ThreatStream Link setup:
1. Stop the ThreatStream Link service.
2. Run this command using the "Run as administrator" option:
<install_path>\opticlink_windows_service -s
3. Start the ThreatStream Link service.
Note: Anomali recommends using the -s option, as shown in the above procedure, to rerun setup.
If you use the -i option instead, you will need to first disable the ThreatStream Link service, rerun
the setup, and re-enable the ThreatStream Link service. If you must use the -i option, first change
this setting in the opticlink.cfg file: opticlink_service = yes to opticlink_service = no. Save the .cfg
file and rerun the setup with -i. After rerunning the setup, restore the opticlink_service setting to
yes.
On Linux
To rerun the ThreatStream Link setup:
1. Log in as root.
2. Run the following command:
<install_dir>/opticlink -s
Uninstalling ThreatStream Link

On Windows
1. Uninstall the ThreatStream Link program using the "Run as administrator" option as you would any
other program on your Windows system (Control Panel > Programs > Uninstall a Program).
2. Uninstall the ThreatStream Link service, if you configured it:

a. Ensure that you are logged in as a user with administrator privileges.
b. On a command-line interface, enter the following command to determine if the ThreatStream

Link service is still running: sc query state= all

Installation Guide
If Optic Link is listed in the output, the service is still running.
c. To delete the service, enter this command: sc delete "Optic Link"
3. Ensure that all files were successfully removed from the following directories:
n <install_dir> where ThreatStream Link is installed
n ProgramData\Optic Link
On Linux
1. Log in as root.
2. Run this command: <install_dir>/scripts/uninstall

Chapter 3: Configuring Filters
This chapter describes how to configure filters to customize threat feeds from ThreatStream Link. The
following topics are discussed here:
Understanding Filters 26
Specifying Filters 27
Troubleshooting Filters 28
Understanding Filters
By default, the ThreatStream Link downloads consist of all intelligence applicable to your destinations
and includes all fields. However, you may be interested in threat intelligence that matches specific
indicators or conditions. For example, you may be interested in only downloading threat intelligence
that matches specific indicators such as only indicators with a specific confidence, severity, or specific
threat type.
You can configure ThreatStream Link to download threat feeds that are specific to the criteria of your
choice. Doing so not only customizes the threat intelligence to your needs but also reduces the size of
the download.
You need to set up a filter to tailor the threat feed to your infrastructure. You can set up two types of
filters onThreatStream Link:
l A source filtercontrols threat intelligence that is downloaded from ThreatStream to ThreatStream

Link
There can be only one source filter per ThreatStream Link instance. Not all fields available on
ThreatStream are supported for a source filter. See the "Fields" on page 75 for a list of supported
fields.
l A destination filtercontrols threat intelligence that is downloaded fromThreatStream Link to a

destination configured on it
Destination filters are destination specific; therefore, you can set up a unique filter for each
destination. Not all fields available onThreatStream are supported for a destination filter. See the
"Fields" on page 75 for a list of supported fields.

Installation Guide
Specifying Filters
A syntax of a filter consists of one of the following:
l <string_field> <string_operator> <string_value>
l <numeric_field> <numeric_operator> <numeric_value>
l <date_field> <date_operator> <date_value>
Note:
l The field names, operator names, and values are case sensitive. A list of allowed values
for the field types is available at "Fields" on page 75.
l Although the value for string field types only needs to be enclosed in double quotes (" ") if the
string value contains special characters such as a space, dash, slash, and so on, as a best
practice always enclose string values in double quotes.
Fields and Supported Operators

See "Fields for Filtering" on page 75 for a list of fields, operators you can use, and the indicator types
available for filtering.
Building Complex Filters

You can use the boolean operatorsAND, OR, and NOTand parentheses () to build complex
(nested) expressions that include multiple field types.
If you need to search for specific indicator values, use the srcip, domain, md5, and url fields along with
itype, as shown in Example #3 below.
See See "Fields for Filtering" on page 75 for a complete list of fields, operators you can use, and the
indicator types available for filtering.
Note: Although the value for string field types only needs to be enclosed in double quotes (" ") if the
string value contains special characters such as a space, dash, slash, and so on, as a best
practice always enclose string values in double quotes.
Examples:
1. confidence > 75 AND type !=email AND type !=md5
2. (confidence >= 90 OR itype != bot_ip) AND severity = "very-high"
3. itype = actor_ip AND srcip startswith "198."
4. ((itype != "bot_ip" AND confidence >= 75) OR (itype = "bot_ip" AND confidence >= 99)) AND

Installation Guide
classification = "public"
5. confidence > 75 AND (itype startswith apt OR itype startswith mal OR itype startswith c2)
6. (itype="scan_ip" OR itype="mal_ip") AND stream_id=0 AND source="@mycompany.com"
Specifying stream_id=0 returns IOCs that are not associated with any streams, such as IOCs that
were imported into ThreatStream The source field is useful in filtering IOCs from a specific
source, such as a user, a company, or a specific domain. This field is supported on ThreatStream
Link, as shown in the example above.
To limit the filter to IOCs imported by a specific source and marked private, modify this filter to
(itype="scan_ip" OR itype="mal_ip") AND (classification="private" AND stream_
id=0 AND source="@mycompany.com")
Troubleshooting Filters
If a filter you enter is invalid, use the following tips to troubleshoot the syntax of your filter:
l Field names, operator names, and values are case sensitive. Ensure that you used the
expected case. Boolean operators must be entered in upper case.
l String values with special characters must be enclosed in double quotes.
l Ensure that you are using valid operators with a field type. For example, do not use the startswith
operator with a Date field.
l Not all fields are supported for source and destination filtering on ThreatStream Link. Ensure that
you are using supported fields for source and destination filters.

Appendix A: ThreatStream Link
Integrations
This appendix lists the integration settings you configure when you integrate your security products
with ThreatStream Link. Where applicable, integration guidelines and additional configurations are also
listed. The following products are covered here:
AccelOps 30
ArcSight ESM 37
Carbon Black 38
BroIntel 43
CEF 44
Cloudera Impala 45
CrowdStrike 47
CSV 48
Hadoop Hive 49
Infoblox 51
LogRhythm 53
NitroSecurity 54
Palo Alto Networks 55
QRadar API 57

AccelOps
Guidelines
l Configure ThreatStream Link to run as a service to ensure that the HTTPserver is always available
for AccelOps to download indicators from ThreatStream Link.
l Do not use the sameThreatStream Link installation to serve indicators to QRadar API, Palo Alto
Networks firewall, AccelOps, and RSA NetWitness destinations.
l AccelOps integration with ThreatStream Link requires about 40 GBof disk space on the
ThreatStream Link system. Make sure that the ThreatStream Link system is provisioned for
sufficient disk space.
l DO NOT create more than one list to retrieve IP-based indicators from the same ThreatStream
Link on an AccelOps system. Doing so can cause indicators to get out of sync between AccelOps
and ThreatStream Link.
l If you configure AccelOps to incrementally update indicators from ThreatStream Link,

DONOTmanually delete any indicators from AccelOps. Doing so can cause indicators to get out of
sync between AccelOps and ThreatStream Link.
Integration Settings
You must configure these settings if you enter "accelops" as the response for "Which product(s) would
you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
AccelOps Default:4.4
version:
Version of AccelOps with which you want to integrate.
Mode to update Full or Incremental

indicators:
Default: Full
Whether to download a complete list of indicators every time or only download

the changes since the last download (incremental update).
Maximum number Default: 30000

of indicators:
Maximum number of indicators that will be downloaded.
HTTPservice Default: 8788

port:
Port on which HTTPor HTTPS connection to ThreatStream Link should be
established from AccelOps.

Installation Guide
Appendix A: ThreatStream Link Integrations
Setting Description
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do
for this not want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82
for indicators you can specify in the filter.
Note: The following field cannot be specified in a destination filter: feed_

group.
Additional Configuration After Installing ThreatStream Link

By default, ThreatStream Link is designed to use HTTPS for connect to AccelOps and is shipped with
a self-signed certificate.However, connecting via HTTPis also available. Both methods require
additional setup on AccelOps. Use information in this section to configure the protocol of your choice.
Configuring AccelOps to Use HTTPS to communicate with ThreatStream Link

To enable HTTPS-based communication between AccelOps and ThreatStream Link, AccelOps must
recognize ThreatStream Link's self-signed certificate.
Use these steps to enable AccelOps to recognize ThreatStream Link's self-signed certificate:
1. Locate the ThreatStream Link's self-signed certificate in the <install_dir>/scripts directory of

ThreatStream Link. The certificate file is called ssl_cert.pem.
2. Copy the ssl_cert.pem file to the /root/ directory on the AccelOps server.
3. Run this command:
keytool -importcert -alias ThreatStream_opticlink -file /root/ssl_cert.pem -

keystore /opt/glassfish3/glassfish/domains/domain1/config/cacerts.jks -
storepass changeit
4. Enter Yes at the "Trust this certificate prompt.
5. Restart the AccelOps server.
6. Add the following entry to the hosts file on the AccelOps server:
<IP_address_of_Optic_Link> opticlink
Note: It is very important to enter this entry accurately. Not doing so will result in the self-
signed certificate not being recognized on AccelOps.

Installation Guide
Configuring AccelOps to Use HTTPto communicate with ThreatStream Link

Use these steps to enable AccelOps to allow HTTP-based communication between AccelOps and
ThreatStream Link.
1. After ThreatStream Link has been installed but not yet started, rename the <install_
dir>/scripts/ssl_key.pem file to another name such as orig_ssl_key.pem.
2. Start ThreatStream Link service, as described in "Starting and Stopping ThreatStream Link
Configuring AccelOps to Start Receiving Indicators From ThreatStream Link
Note: Make sure you perform these steps only after configuring AccelOps to either use HTTPSor
HTTPto communicate with ThreatStream Link, as described previously in this section.
Follow these instructions to configure AccelOps system to start receiving indicators from
ThreatStream Link:
1. Locate the ol-accelops-plugin-1.0-SNAPSHOT.jar file in the plugin folder of the

ThreatStream Link installation directory.
2. Run the following command to SCPthe file to the following folders on the AccelOps system:
scp ol-accelops-plugin-1.0-SNAPSHOT.jar admin@<IP_

address>:/opt/phoenix/java/lib
scp ol-accelops-plugin-1.0-SNAPSHOT.jar admin@<IP_

address>:/opt/glassfish/domains/domain1/applications/phoenix/lib
where <IP_address> is the IP address of the AccelOps system.
3. Restart the AccelOps system as follows:
a. Run this command and locate the process IDs of the two Java processes running on the
AccelOps system:
ps -ef | grep java
b. Run this command to kill the two processes:
kill -9 <process_id_1>
kill -9 <process_id_2>
The two Java processes are restarted automatically.
4. Connect to the AccelOps user interface and configure the following three lists to retrieve indicators
from ThreatStream Link:

Installation Guide
n TS_Blocked_DomainsCreate this list under Blocked Domains.It will be used for domain
indicators.
n TS_Blocked_URLsCreate this list under Blocked Domains. It will be used for URL
indicators.
n TS_Blocked_IPCreate this list under Blocked IP. It will be used for IPindicators.
Note:
l The names specified here are suggestions. You can use names of your choice.
l DO NOT create more than one list to retrieve IP-based indicators from the
sameThreatStream Link on an AccelOps system. Doing so can cause indicators to get out of
sync between AccelOps and ThreatStream Link.
1. For each list that you created, perform these steps:

a. Select the list from the left pane.
b. Click Update.
c. Select Update via API.
d. Click Add.
The Data Mapping window is displayed.

Installation Guide
e. Configure the following settings.
URL For the TS_Blocked_Domains list, enter:

http://opticlink:8788/threatstream_accelops_domain.csv
For the TS_Blocked_URLs list, enter:

http://opticlink:8788/threatstream_accelops_url.csv
For the TS_Blocked_IP list, enter:

http://opticlink:8788/threatstream_accelops_ip.csv
Note: If you configured AccelOps to use the ThreatStream Link self-

signed certificate, change the URLs above to use HTTPS.
User Leave it blank.

Name
Password Leave it blank.

Installation Guide
Plugin If you will be configuring AccelOps to perform a full update to update indicators
class from ThreatStream Link, skip this field.
If you will be configuring AccelOps to perform an incremental update to update

indicators from ThreatStream Link, enter:
com.threatstream.IntelligenceUpdateService
Field Accept the default (comma).

Separator
Data For a full update every time, select CSV and Full.
Format
For an incremental update, select Custom and Incremental.
Data
Mapping Note: Configure this field only for full updates. The Plugin class provides
mapping for incremental updates.
For TS_Blocked_Domains and TS_Blocked_URLs lists and map the Data

Mapping fields as shown in the following figure.
For TS_Blocked_IPs list, map the Data Mapping fields as shown in the
following figure.
Note: Map Name, Low IP, and High IPfields to Position 2.

Installation Guide
2. Click Save.
3. Add a schedule for each list as follows:
If you chose Full Update option for indicator updates, configure a schedule for your AccelOps
system to download indicators from ThreatStream Link. As a best practice, you can configure the
full update schedule such that it runs after ThreatStream Link downloads the latest indicators.
If you chose Incremental Update, you must ensure that the ThreatStream Link download schedule
is tightly coordinated with the incremental update schedule. The incremental update must occur
right after ThreatStream Link downloads the latest indicators from ThreatStream and definitely
before the next round of indicators are downloaded on ThreatStream Link. Doing so will ensure
that a synchronization between the latest indicators getting downloaded on ThreatStream Link and
AccelOps picking up those indicators. For example, if ThreatStream Link is scheduled to every
hour with the updates starting at 10 minutes past each hour and finishing in 30 minutes, configure
AccelOps to start hourly at 50 minutes past the hour.
4. Click Close to save the schedule.

Installation Guide
ArcSight ESM
You must configure these settings if you enter "arcsight_esm" as the response for "Which product(s)
would you like to integrate with:" question during the ThreatStream Link installation.
Setting Description
ESMversion: Default: 6.5
Version of ArcSight ESM that you want to integrate. Versions 5.2, 6.0, and 6.5 are
supported.
ESMhostname: Host name or IP address of the system on which ESMis installed.
ESMport: Default: 8443
Port on the ESMserver to which ThreatStream Link will connect to download the
ThreatStream content.
ESMuser User name ThreatStream Link will use to connect to the ESMserver.
name:
ESM password: Password associated with the specified user name.
Syslog host: Name or IPaddress of the Syslog server to which the ThreatStream intelligence
will be downloaded.
Syslog port Default: 514
Port on the Syslog host to which ThreatStream Link will connect to download the
ThreatStream intelligence.
Syslog facility Default: local0

Installation Guide
Carbon Black
Guidelines
When threat intelligence is pushed from ThreatStream Link to Carbon Black:
l You must create a folder on the Carbon Black server where the threat intelligence through
ThreatStream Link will be downloaded. For example, create a folder /tmp/ts for threat intelligence
from ThreatStream.
Note: This folder must exist on the Carbon Black server before you configure a Carbon Black
destination on ThreatStream Link.
l A user with SSH access privileges to the Carbon Black server must exist. You will need to provide
the user name of such a user during the configuration of a Carbon Black destination on
ThreatStream Link.
When threat intelligence is fetched from ThreatStream Link by Carbon Black:
l You must enable the General Sharing Settings - Enable Alliance Communication on Carbon Black.
You must configure these settings if you enter "carbonblack" as the response for "Which product(s)
Threat intelligence from ThreatStream to Carbon Black contains IP, domain, and MD5-based
indicators.
Threat intelligence can be either pushed from ThreatStream Link to the Carbon Black server or the
Carbon Black server can pull it.
When ThreatStream Link pushes threat intelligence, it downloads and securely copies the threat
intelligence files to the Carbon Black server, and then makes a REST API call to load those files in the
Carbon Black server.
When Carbon Black fetches threat intelligence, the Carbon Black server makes an HTTPor HTTPS
connection to ThreatStream Link.

Installation Guide
Once threat intelligence has been loaded to a Carbon Black server, you can view threat reports, set up
alerts, watchlists, and so on from the Carbon Black "alliance-feeds" UIpage. See "Additional
Configuration After Installing ThreatStream Link " on the next page for more information.
Setting Description
Carbon Black version: Default:5.0
Version of Carbon Black that you want to integrate.
Do you want ThreatStream Push, Fetch

Link to push data to Carbon
Default: Push
Black or let Carbon Black
fetch from it Threat intelligence can be either pushed automatically from
ThreatStream Link to Carbon Black or Carbon Black server make a
web server connection to ThreatStream Link to pull (fetch) the
intelligence from ThreatStream Link.
If you enter Push, configure the following parameters:
Carbon Black server url: URL(of the Carbon Black server) that ThreatStream Link will use to
make the REST call to load the threat intelligence files to the Carbon
Black server.
APItoken: The APItoken of the Carbon Black server admin.
ThreatStream Link will use this token to connect to the Carbon Black
server.
Carbon Black folder for Name of the folder to which ThreatStream Link will copy
ThreatStream feed: ThreatStream intelligence from ThreatStream.
SCP is used to securely copy the intelligence files.
Maximum number of Default: 10000

indicators:
SSHport: Default: 22
SSHport that ThreatStream Link will use to connect to the Carbon

Black server for copying intelligence files.
Filter expression for this Criteria by which threat intelligence will be filtered to the destination. If
destination: you do not want to use a filter, leave this field blank. Example:
modified_ts > -14d.
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on
page 82 for indicators you can specify in the filter.
Note: The following field cannot be specified in a destination

filter: feed_group.

Installation Guide
Setting Description
SSH auth: public key or password
Default: password
Select "password" if you will use user name and password for
authenticating.
Select "public key" if you want to utilize SSH key pair for
authentication. See "SSH Key Pair Generation" on page 92 for more
information about setting up an SSHkey pair.
SSH user: Default: <logged_in_user>
User name to use for connecting to the Carbon Black server.
SSHpassword: The settings displayed depend on the authentication option you

selected for SSHAuth.
OR
SSH private key: l If you selected password, enter the password for the SSH user.
SSH private key password: l If you selected public key, enter the SSHprivate key and the
SSHprivate key password.
If you entered Fetch, configure the following parameters:
Web Server Port: Default: 8589
Specify the port on Optic Link that Carbon Black server will connect to
for fetching threat intelligence.

indicators:
Enable SSL Yes, No
Default: No
Specify whether Carbon Black server will make HTTP or HTTPS

connections to fetch threat intelligence.

Receiving Threat Intelligence
If you configured ThreatStream Link to push threat intelligence to Carbon Black, a ThreatStream feed
widget is displayed on the Threat Intelligence Feeds page of your Carbon Black server
(https://<carbon_black_server>/#/alliance-feeds). Threat feed from ThreatStream is automatically
enabled after you complete the ThreatStream Link setup for Carbon Black.

Installation Guide
If you configured ThreatStream Link such that the Carbon Black server will fetch threat intelligence
from it, you must add a new feed on the Threat Intelligence Feeds page as shown in the following
example. Change the IPaddress shown in the Feed URL field to the IPaddress of your ThreatStream
Link.
Filtering Threat Intelligence

Threat intelligence from ThreatStream toCarbon Black contains IP, domain, and MD5-based
indicators.

Installation Guide
By default, the maximum number of indicators you can download is 10,000. Adhering to this limit
ensures optimal performance and also eliminates indicators with lower priority. Anomali suggests
specifying a filter (or fine tuning the filter if one exists already) to limit the number of indicators to the
allowable limit. You can filter indicators that are downloaded to the Carbon Black server by specifying
criteria, such as (confidence >= 90 AND (itype startswith "c2" OR itype startswith "apt")). See
"Configuring Filters" on page 26 for more information.
Configuring Alerts
To receive alerts when an indicator from ThreatStream matches data on Carbon Black, click Create
Alert, as shown in the following figure.
Synchronizing Threat Intelligence fromThreatStream

The schedule Carbon Black follows to fetch threat indicators from ThreatStream Link is dependent on
the schedule set on the Carbon Black server for the Full Sync option through the feed_sync cron job.
Refer to your Carbon Black cron job settings for this information.
When ThreatStream Link updates threat indicators on Carbon Black, it updates threat intelligence
based on the schedule specified in the "Poll frequency for new content" setting during the ThreatStream
Link installation. (By default, 1 hour).
In both cases, the existing ThreatStream indicators are removed and replaced with the latest ones.
Note: The Incremental Sync option available on the ThreatStream widget (under the Actions drop
down), on the Threat Intelligence Feeds page, is inactive and does not update intelligence from
ThreatStream. Threat intelligence is always updated automatically through ThreatStream Link,
based on the specified schedule.

Installation Guide
BroIntel
You must configure these settings if you enter "bro_intel" as the response for "Which product(s) would
Setting Description
Bro_intel directory The directory where the ThreatStream intelligence should be

written on the destination.
Examples:/opt/threatstream or c:\programdata\Optic
Link
Should output files be overwritten Yes or No

(instead of appended) on each run:
Default: No
Your response determines if the existing file should be

overwritten or appended when new intelligence is
downloaded.

Installation Guide
CEF
You must configure these settings if you enter "cef" as the response for "Which product(s) would you
like to integrate with:" question during the ThreatStream Link installation.
Setting Description
CEF file Specify a name for the CEFfile to which intelligence from
ThreatStream is downloaded.
Example: TS_top1000
Should output files be overwritten Yes or No

(instead of appended) on each run:
Default: No
Your response determines if the existing file should be

overwritten or appended when new intelligence is
downloaded.

Installation Guide
Cloudera Impala
Guidelines
The following guidelines must be followed to ensure that you adhere to a supported integration setup for
Cloudera Impala:
l ThreatStream Link must be installed on a node in the Hadoop cluster; ThreatStream Link installed
on a machine outside the cluster is not a supported configuration.
l The user account used to install ThreatStream Link must have read-write access to HDFS.
l The machine on which ThreatStream Link is installed must have the Impala shell client (for non-
secured clusters) and the Beeline JDBCclient for Kerberos-secured clusters.
l ThreatStream Link creates a directory, /threatstream/lookup, (and several subdirectories) on

HDFS. Make sure the Impala user account has read-write access to this directory (and the
subdirectories)to utilize information stored in them.
l If the Hadoop cluster is Kerberos-secured, make sure that the Kerberos ticket being used by
ThreatStream Link to authenticate with the cluster stays valid. If the ticket expires, communication
with ThreatStream Link will break and you will receive an error.
l If the Hadoop cluster is Kerberos-secured, do not run ThreatStream Link service in the background.
You must configure these settings if you enter "cloudera_impala" as the response for "Which product(s)
Setting Description
Cloudera Impala Default:1.4.1

version:
Version of Cloudera Impala you are integrating with.
Impala versions 1.4.x and 2.1.x are supported.
Is Kerberos Yes or No
enabled on Hadoop
Default: Yes
cluster:
If your Cloudera Hadoop cluster is configured to use Kerberos for
authentication, accept the default value and configure the next four settings.
If your Cloudera Hadoop cluster does not use Kerberos, enter No and go to the
last setting in this table"Impala host" on the next page.

Installation Guide
Setting Description
Impala LDAP/AD
authentication
Default: LDAP/AD
protocol:
Currently, only LDAP authentication is supported on Impala. If you need to
support any other authentication method, contact Anomali Customer Support.
LDAP/AD User name that ThreatStream Link will use to authenticate with Impala.
authentication user
name:
LDAP/AD Password for the above user name.

authentication
password:
Impala connection JDBC URLof the Impala server.

url:
For example: jdbc:hive2://host:port/
Impala host Name of the node on which Impala is installed in the Hadoop cluster.
Default: [localhost]
Use localhost if Impala is installed on the same node as ThreatStream Link.
for this destination: not want to use a filter, leave this field blank. Example: modified_ts > -14d.

group.

Installation Guide
CrowdStrike
You must configure these settings if you enter "crowdstrike" as the response for "Which product(s)
Setting Description
Falcon Host Default:1.0

version:
Version of Falcon Host you are running. Currently, only 1.0 is supported.
CrowdStrike Default: https://<falcon_host_or_IP_address>/indicators/entities/iocs/v1

APIURL:
URL(of FalconHost) that ThreatStream Link will use to push threat intelligence
to Falcon Host.
CrowdStrike User name ThreatStream Link will use to connect to Falcon Host to make the
APIuser: APIconnection.
CrowdStrike Password associated with the specified user.

APIpassword:

of entries:
Maximum number of indicators that will be pushed.
destination:

group.

Installation Guide
CSV
You must configure these settings if you enter "csv" as the response for "Which product(s) would you
Setting Description
CSV directory The directory where the CSV file should be written on the destination.
Examples:/opt/threatstream or c:\programdata\Optic Link
Note: Do not enclose the path in single or double quotes even if

the path includes a space. Doing so may result in an error during
ThreatStream Link installation.
Should output files be Yes or No

overwritten (instead of
Default: No
appended) on each run:
Your response determines if the existing file should be overwritten or
appended when new intelligence is downloaded.

Installation Guide
Hadoop Hive
Guidelines
l ThreatStream Link must be installed on a node in the Hive cluster; ThreatStream Link installed on a
machine outside the cluster is not a supported configuration.
l The user account used to install ThreatStream Link must have read-write access to HDFS.
l The machine on which ThreatStream Link is installed must have the Hive shell client (for non-
secured clusters).
l ThreatStream Link creates a directory, /threatstream/lookup, (and several subdirectories) on

HDFS. Make sure the Hive user account has read-write access to this directory (and the
subdirectories)to utilize information stored in them.
You must configure these settings if you enter "hadoop_hive" as the response for "Which product(s)
Setting Description
Hive version: Default:1.2.1
Version of Hive with which you want to integrate.
Is authentication Yes or No
enabled for Hive:
Default: No
If authentication is not enabled, accept the default. You are done.
If authentication is enabled, enter Yes and configure the next four settings.
Hive LDAP/AD
authentication
Default: LDAP/AD
protocol:
Currently, only LDAP authentication is supported.
Hive connection JDBC URLof the Hive server.

URL:
For example: jdbc:hive2://host:port/
LDAP/AD User name that ThreatStream Link will use to authenticate with Hive.
authentication
user name:

Installation Guide
Setting Description
LDAP/AD Password for the above user name.

authentication
password:
destination:

group.

Installation Guide
Infoblox
Guidelines
l Infoblox 7.2 is the supported version.
l Make sure that the user you specify in the settings below has the permission to create an RPZ zone
on Infoblox.
l Make sure that the file "rpz.csv" does not exist in the directory where ThreatStream Link is
installed. If this file exists already, an RPZ zone will not be created for the ThreatStream feed.
Threat intelligence from ThreatStream to Infoblox contains domain-based indicators.
You must configure these settings if you enter "infoblox" as the response for "Which product(s) would
Threat intelligence to Infoblox is downloaded to a local Response Policy Zone (RPZ) for Infoblox 7.2.
Setting Description
Infoblox version: 7.2
Version of Infoblox NIOS that you want to integrate.
Infoblox hostname: Host name or IP address of the Infoblox appliance.
destination: you do not want to use a filter, leave this field blank. Example: modified_
ts > -14d.
Note: The following field cannot be specified in a destination filter:

feed_group.
Infoblox user: User name for connecting to the Infoblox appliance. This user must have
the permission to create an RPZ zone.
Infoblox password: Password for the above user.

Installation Guide
Setting Description
Have you already Yes, No

created RPZ zone and
Default: Yes
restarted DNS server:
If you have already created an RPZzone and restarted DNSserver,
enter the name of the RPZ zone that you have created at the following
prompt: "Name of local RPZ zone created"
If you have not created an RPZ zone, go to the next question.
Do you want Yes, No

ThreatStream Link to
Default: Yes
create RPZ zone
automatically: If you answer Yes to this question, enter these settings:
l Name of the local RPZzone for ThreatStream feed: Default:

threatstream
l Priority for this zone: Default: 0; see the Infoblox documentation for
more details about this option.
l Name server used for this zone: Default: infoblox.localdomain
If you answer No to this question, you must create an RPZ zone, restart
the DNS serve, and provide that information to complete the Infoblox
configuration for ThreatStream Link.
Policy used in this zone: Passthru, Block, Substitute
Default: Passthru
Specify the policy action to assign to each indicator as it is downloaded

to the local RPZ zone.
See the Infoblox documentation for more details about this option.

entries

Installation Guide
LogRhythm
Guideline
l Optic Link must be installed on the same Windows system on which LogRhythm is installed.
You must configure these settings if you enter "logrhythm" as the response for "Which product(s) would
Setting Description
LogRhythm Default:6.3
version:
Version of LogRhythm with which you want to integrate.
Directory to Directory to which ThreatStream intelligence will be downloaded.

output indicators:
LogRhythm expects the following directory path: <LogRhythm_install_
dir>\LogRhythm Job Manager\config\list_import
Note: Do not enclose the path in single or double quotes even if the path
includes a space. Doing so may result in an error during ThreatStream Link
installation.
Maximum Default: 30000

number of
indicators:
Filter expression Criteria by which threat intelligence will be filtered to the destination. If you do not
for this want to use a filter, leave this field blank. Example: modified_ts > -14d.
destination:

group.

Installation Guide
NitroSecurity
You must configure these settings if you enter "nitro" as the response for "Which product(s) would you
Setting Description
NitroSecurity Default:9.3
version:
Version of NitroSecurity running in your network environment. Currently, only
version 9.3 is supported for ThreatStream Link.
Directory to Directory to which ThreatStream intelligence will be downloaded.

output indicators:
destination:

group.

Installation Guide
Palo Alto Networks

Guidelines
l By default, the communication between the Palo Alto Network firewall and ThreatStream Link uses
HTTPS. The ThreatStream Link installation bundle includes the following two files: ssl_key.pem
(the private key) and ssl_cert.pem (the self-signed certificate).
If you want to use this certificate, you must make sure that your Palo Alto Networks firewall is
properly configured to work with it.
If you do not want to use the default certificate, you can replace it with your own certificate. The
new certificate file must be named ssl_cert.pem, and must be located in the
/opt/threatstream/scripts directory.
l If you do not want to use HTTPS but HTTP for communication, rename the following file on
ThreatStream Link:
/opt/threatstream/scripts/ssl_cert.pem
For example, ssl_cert_old.pem.
You will need to restart the ThreatStream Link service, as described in "Starting and Stopping
ThreatStream Link Service" on page 23.
l If you are upgrading to this version of ThreatStream Link, make sure you are aware of this change:
Prior to ThreatStream Link version 5.2, Palo Alto Networks integration with ThreatStream Link
required a different self-signed certificate file. If you are currently using that certificate and HTTPS
to communicate between the Palo Alto Networks firewall and ThreatStream Link, you must
reconfigure the Palo Alto Networks firewall to accept the new certificate available in the file, ssl_
cert.pem, after upgrading to this version of ThreatStream Link.
If you require assistance in upgrading, contact Anomali Customer Support.
l Make sure that the machine on which ThreatStream Link is installed allows inbound
TCPconnections for the HTTP service port you configure in "Integration Settings" below
Threat intelligence from ThreatStream to Palo Alto Networks contains IP-based indicators.
You must configure these settings if you enter "paloaltonetworks" as the response for "Which product
(s) would you like to integrate with:" question during the ThreatStream Link installation.

Installation Guide
Setting Description
Palo Alto Networks Default:3020

firewall version:
Enter the model number of the firewall appliance that will download
threat intelligence from ThreatStream Link.
File name to output Default: pa-dbl.txt

indicators:
Name of the file to which ThreatStream intelligence will be downloaded.

entries:
Maximum number of indicators that will be downloaded to the firewall. If
there are more indicators than the limit specified by this setting,
ThreatStream Link downloads the top indicators (with the highest
confidence value and lowest age) equal to the number specified in this
setting.
This number is governed by your Palo Alto Networks firewall model.

Consult your product's documentation to determine an optimum value
for your deployment.
HTTPservice port Default: 8787
Port on which the Palo Alto firewall will connect to ThreatStream Link to
download indicators.
Note: Make sure you have read the "Guidelines" on the previous page.
destination: you do not want to use a filter, leave this field blank. Example:
modified_ts > -14d.
Note: The following field cannot be specified in a destination filter:

feed_group.

Installation Guide
QRadar API
Guidelines
l Use the QRadar API integration point to configure new QRadar destinations. The QRadar (without
API) option is available but only supported for backward compatibility. Previously configured
QRadar (without API) destinations do not need to be reconfigured.
l ThreatStream Link must be installed on a different system than on which QRadar is installed.
l One ThreatStream Link installation can only support one QRadar destination.
l Do not use the same ThreatStream Link installation to serve indicators to QRadar, Palo Alto
l For information about Anomali QRadar App and Security Content Pack, see the Anomali QRadar
App & Content Guide.
You must configure these settings if you enter "qradar_api" as the response for "Which product(s)
Setting Description
QRadar Default: 7.2.6

version:
Version of QRadar running in your network environment.
Supported versions are: 7.2.3, 7.2.4, 7.2.5, 7.2.6, and 7.2.7
Web server Default: 8787

port:
Port on which the ThreatStream QRadar App communicates with ThreatStream Link
to obtain enriched, matched indicators.
Note: This setting is only displayed if you are configuring QRadar versions 7.2.6
and 7.2.7.

Installation Guide
Setting Description
QRadar Default: localhost

hostname:
Hostname or IPaddress of the QRadar system.
If ThreatStream Link is installed locally, on the same machine as QRadar, choose

the default valuelocalhost.
If ThreatStream Link is installed remotely, enter the hostname or IPaddress of the

QRadar server.
QRadar Enter the authorization token that ThreatStream Link will use to run the API
authorization commands on the QRadar server.
token:
This token is generated on the QRadar server. Consult your product's documentation
for more information.

number of
Maximum number of indicators that will be downloaded per reference set to the
entries per
QRadar server. If there are more indicators than the limit specified by this setting,
reference
ThreatStream Link downloads the top indicators (with the highest confidence value
set:
and lowest age) equal to the number specified in this setting.
This number is governed by your QRadar server. Consult your product's

documentation to determine an optimum value for your deployment.
Batch size: Default: 200
Indicators are downloaded in batches from ThreatStream Link to the QRadar server.
This setting specifies the number of indicators that will be downloaded in each batch.
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not
expression want to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
See "Fields for Filtering" on page 75 for fields and "Indicator Types" on page 82 for
destination:
indicators you can specify in the filter.
Note: The following field cannot be specified in a destination filter: feed_group.
Force Synchronizing IOC Update

After you have configured QRadar the first time, ThreatStream Link downloads all IOCs for your
organization on to QRadar. This activity can take up to several hours. Subsequent updates are
incrementalonly new or changed information is downloaded.
However, there may be situations after the first download when you want to clear all QRadar reference
sets and perform a full intelligence refresh.
Note: Performing a full intelligence refresh can take up to several hours. Therefore, use this option
with caution.

Installation Guide
To clear all ThreatStream Reference Sets and force synchronize threat intelligence on your QRadar
system:
1. Stop the ThreatStream Link service as described in "Starting and Stopping ThreatStream Link
2. Run this command:
./opticlink -r
You will be prompted to confirm the operation. Once you confirm, the operation proceeds and
clears the ThreatStream Reference Sets onQRadar. Once the operation has completed, go to the
next step.
3. Start ThreatStream Link as described in "Starting and Stopping ThreatStream Link Service" on
page 23.
A full refresh of the threat intelligence is performed at the next update time interval, as specified for
your ThreatStream Link.

Installation Guide
QRadar (Deprecated)
Instead of using this QRadar integration point, use the QRadar API integration point to configure new
QRadar destinations. The QRadar (without API) option is available but only supported for backward
compatibility. Previously configured QRadar (without API) destinations do not need to be reconfigured.
You must configure these settings if you enter "qradar" as the response for "Which product(s) would
Note: ThreatStream Link communicates with the QRadar destination using command line when
this option is selected. This implementation is deprecated as of ThreatStream Link v5.1, and is
only supported for backward compatibility. Use QRadar API to set up a new QRadar destination.
Setting Description
QRadar Default:7.2
version:
Version of QRadar running in your network environment. Use the value 7.2 for
both, versions 7.2.2 and 7.2.3.
QRadar Default: localhost

hostname:
Hostname or IPaddress of the QRadar system.
If ThreatStream Link is installed locally, on the same machine as QRadar, choose

the default valuelocalhost.
If ThreatStream Link is installed remotely, enter the hostname or IPaddress of the

QRadar server, and configure the next four settings.
ThreatStream Link Remote Configuration Options for QRadar
QRadar user Default: root

name:
User name for connecting to QRadar.
SSHcommand: Default: /usr/bin/ssh
Command to use for connecting to QRadar using SSH.
SCPcommand: Default: /usr/bin/scp
Command to use for using SCP on QRadar.
SSHkey: Default: /root/.ssh/id_rsa
You will need to create an SSHkey pair that ThreatStream Link will use to
connect to QRadar. Specify the location of the SSH key pair. See "SSH Key Pair
Generation" on page 92 for more information about setting up an SSHkey pair.

Installation Guide
RSA NetWitness
Guidelines
l Configure ThreatStream Link to run as a service to ensure that the HTTPserver is always available
for RSA NetWitness to download indicators from ThreatStream Link.
Networks firewall, AccelOps, and RSANetWitness destinations.
l RSA NetWitness integration with ThreatStream Link requires about 40 GBof disk space on the
ThreatStream Link system. Make sure that the ThreatStream Link system is provisioned for
sufficient disk space.
You must configure these settings if you enter "rsa" as the response for "Which product(s) would you
Setting Description
RSA Default:10.4
version:
Version of RSA with which you want to integrate. Version 10.5 is also supported.

number of
indicators:
Delimiter Default:|
for CSV
Delimiter character for parsing data from the threat intelligence data files.
files
The specified pipe (|) character is used as a field separator in the CSV files created on
ThreatStream Link from which RSA NetWitness will obtain threat intelligence.
Although you can specify any character of your choice, Anomali recommends using
the default value (|).
Webserver Default:8789
port:
Port on which HTTP connection to ThreatStream Link should be established from
RSA NetWitness .
Enable Default: No
SSL
Anomali recommends using the default value.

Installation Guide
Setting Description
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not want
expression to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
destination:

After you complete the ThreatStream Link setup for RSA NetWitness , ThreatStream Link starts
downloading threat intelligence from the ThreatStream platform, which it stores locally until the
NetWitness platform is ready to obtain this information from it. To ensure completeness of threat
intelligence information, Anomali recommends allowing ThreatStream Link to run for about 24 hours
before enabling the NetWitness platform to receive threat intelligence from ThreatStream Link the first
time.
To enable your RSA NetWitness platform to start receiving threat intelligence feeds from ThreatStream
Link, you must do the following:
l Download the ThreatStream content pack from the Downloads page of the ThreatStream platform.
Unzip the package to access these files:
n RSA_TS_Plugin.txt
n ThreatStreamRules.zip
n ThreatStreamReports.zip
n tsdomain.xml
n tshash.xml
n tsurl.xml
n tsip.xml
n tsemail.xml
l Install the Anomali plug-in for RSA for context menu actions. See "Install the ThreatStream Plug-in"
on the next page.
l Create ThreatStream feeds for all five Indicator of compromise (IOC)types on the RSA NetWitness
platform. See "Creating ThreatStream Feeds on RSA NetWitness " on the next page
l Deploy the Anomali RSAcontent package that creates rules and reports.

Installation Guide
Install the ThreatStream Plug-in
1. Log in to the NetWitness platform as a user who has privileges to install a plug-in.
2. Open the RSA_TS_Plugin.txt file you downloaded earlier using a text editor such as Notepad.
Copy the contents of this file.
3. Click Dashboard > Administration > System > Context Menu Actions.
Note: The Context Menu Actions is called Plug-in in RSAversion 10.4.
4. Click the +sign to create a new Context Menu Configuration.
5. Paste the content of the RSA_TS_Plugin.txt file you copied earlier.
6. Click OK.
A Context Menu called ThreatStreamLookup is created, as shown in the following figure.
Creating ThreatStream Feeds on RSA NetWitness
Note: Remember to allow ThreatStream Link to run at least 24 hours before you configure RSA
NetWitness to receive feeds from ThreatStream Link.
1. Log in to the NetWitness platform as a user who has privileges to create Live Feeds.
2. Click Dashboard > Live > Feeds.
3. Repeat the following steps for all five types of IOCs:

a. Click the +sign to create a new feed.
b. Select Custom Feed and click Next.
c. Enter the following parameters.
Feed Task Whether the feed will be refreshed on demand or on a recurring basis.
Type
Select Recurring.

Installation Guide
Name A meaningful name for the feed.
Enter the following:
o tsdomainfor the domain IOC feed
o tshashfor the hash IOC feed
o tsurlfor the URL IOC feed
o tsipfor the IPIOC feed
o tsemailfor the email IOC feed
URL URLto which RSA NetWitness will make an HTTPor HTTPS connection
to ThreatStream Link.
Use this format: http://<your_optic_link_host>:8789/<CSV_file_

name>
where CSV_file_name is
o threatstream_rsa_domain.csv
o threatstream_rsa_hash.csv
o threatstream_rsa_url.csv
o threatstream_rsa_ip.csv
o threatstream_rsa_email.csv
NOTE: Click Verify to ensure RSA NetWitness can access the URL.
Recur Every How frequently RSA NetWitness will poll ThreatStream Link for updates.
Enter 1 hour

Installation Guide
Advanced Browse to access the .xml files that were included in the content pack that
Options you downloaded earlier.
Depending on the feed you are configuring, select one of the following:
o tsdomain.xml
o tshash.xml
o tsurl.xml
o tsip.xml
o tsemail.xml
d. Click Next.
e. Select the decoder in the Select Services screen.
f. Click Finish.
Once successfully configured, the five streams will be listed in the Feeds section as shown in
the following figure.
Deploy the ThreatStream RSA Content Pack

The ThreatStream RSAContent Pack contains two .zip files for creating rules and reports.
To create rules:
1. Log in to the NetWitness platform as a user who has privileges to create rules and reports.
2. Click Dashboard > Reports.
3. Click Rules.
4. Under Groups, click the settings icon and select Import.

Installation Guide
5. Click Browse and locate the ThreatStreamRules.zip file that you downloaded earlier.
6. Click Import.
To create reports:
1. Log in to the NetWitness platform as a user who has privileges to create rules and reports.
2. Click Dashboard > Reports.
3. Click Reports.
4. Under Groups, click the settings icon and select Import.
5. Click Browse and locate the ThreatStreamReports.zip file that you downloaded earlier.
6. Click Import.

Installation Guide
Splunk
Guidelines
Splunk Add On with SplunkESversion 4.x
If you are integrating with Splunk add on deployed on a Splunk server running ESversion 4.x, make
sure the ThreatStream Link can access port 8089 on that Splunk server.
Splunk Search Head Cluster

If all search head nodes use the same credentials, you can set up one destination for all nodes in the
cluster. However if the credentials are not the same, you must set up a unique destination on
ThreatStream Link for each search head node in the cluster.
If you had set up multiple unique destinations for a previous ThreatStream Link release even though all
search head nodes use the same credentials, the destinations are preserved when you upgrade to this
ThreatStream Link release. You can continue using the multiple destination setup; or delete those
destinations and configure one destination for all search head nodes in the cluster.
Splunk Installed onWindows

For Splunk installed on Windows, make sure that you share the folder with the user that you are using
to install ThreatStream Link where threat intelligence will be written from ThreatStream Link to Splunk.
If Splunk is installed on a Windows cluster and you want to push threat intelligence to all members of
the cluster, make sure that you share folders on all members of the cluster.
Additionally, the ThreatStream Link service must be configured to run as the user who is installing
ThreatStream Link; otherwise, the threat intelligence copy to the shared folder will fail as shown in the
following example.

Installation Guide
You must configure these settings if you enter "splunk" as the response for "Which product(s) would
Setting Description
Splunk version: Default: 6.2
Version of Splunk that you want to integrate. Versions 6.1, 6.2, 6.3, and 6.4 are
supported.
for this destination not want to use a filter, leave this field blank. Example: modified_ts > -14d.
(blank for no
filter):

group.
Splunk app or addon

ThreatStream
Default: app
integration:
Anomali provides a Splunk App and a Splunk add on. Both require ThreatStream
Link to receive the latest threat intelligence from ThreatStream.
Specify whether you are integrating Splunk App or Splunk add on.
Is Splunk Yes or No
deployed on
Default: No
Windows:
Whether your Splunk instance is installed on a Windows platform.
(if you are
integrating with
Splunk App)
Splunk 3.x or 4.x

ESversion:
Default: 3.x
(if you are
If you selected addon in the previous setting, specify the ES version you are
integrating with
running on Splunk.
Splunk add on)
Settings for all versions of Splunk App and Splunk add on with Splunk ES version 3.x

Installation Guide
Setting Description
Splunk Default: /opt/splunk/etc/apps/threatstream

ThreatStream
Directory to which ThreatStream intelligence will be downloaded.
absolute path:
For Unix-based systems:
l Specify the path as shown in the Default value.
For Windows:
l Specify the host name in the path in this format: \\<windows_host_

name>\<install_dir>\threatstream.
l If you have a search head cluster and want to push intelligence to all
members of the cluster, comma-separate the paths to the folders on all
members of the cluster. For example, \\abc-pc1\threatstream,\\abc-
pc2\threatstream,\\192.168.10.42\threatstream
l Make sure that you have shared the folder you specified in the Splunk
ThreatStream abolute path setting, as shown in the following example. The
folder must be shared with the user that you are using to install
ThreatStream Link. If Splunk is installed on a Windows cluster and you want
to push threat intelligence to all members of the cluster, make sure that you
have shared folders on all members of the cluster.
Splunk Default: localhost

deployment
If ThreatStream Link is installed locally, on the same machine as Splunk,
server, search
choose the default valuelocalhost.
head or cluster
hosts (comma If ThreatStream Link is installed remotely and Splunk is installed on a
separated) Unix-based platform, enter the host name or IPaddress of the Splunk search
head server. For a search head cluster, enter a comma-separated list of the IP
addresses of all search head nodes in the cluster.
If ThreatStream Link is installed remotely and Splunk is installed on a

Windows platform, always select the default value (localhost).

Installation Guide
Setting Description
SSHSettings If you enter a value other than default (localhost)in the "Splunk deployment
(only displayed server, search heard or cluster hosts" setting, you are prompted to enter the
when following SSH settings. Since these settings are not meaningful if your Splunk
ThreatStream is installed on a Windows system, make sure you always enter the default
Link is installed value (localhost)in the previous setting for Windows.
remotely on a
When ThreatStream Link is remote and Splunk is installed on aUnix-based
Unix-based
platform, enter the following settings:
platform)
l SSHport: Default: 22; Enter the SSHport for the Splunk machine.
l SSHauth: public key or password
Select "public key" if you want to utilize SSH key pair for authentication.
See "SSH Key Pair Generation" on page 92 for more information about
setting up an SSHkey pair.
Select "password" if you will use user name and password for authenticating
with Splunk.
l SSHuser: Default: root; Enter the user name to use for connecting to
Splunk.
l SSHpassword OR SSHprivate key and password: The settings displayed

depend on the authentication option you selected for SSHAuth.
n If you selected public key, enter the SSHprivate key and the
SSHprivate key password.
n If you selected password, enter the password for the SSH user.
Settings for Splunk add on with SplunkESversion 4.x
Splunk Default: localhost

deployment
If ThreatStream Link is installed locally, on the same machine as Splunk,
server, search
choose the default valuelocalhost.
head or cluster
hosts (comma If ThreatStream Link is installed remotely, enter the host name or IPaddress of
separated) the Splunk search head server. For a search head cluster, enter a comma-
separated list of the IP addresses of all search head nodes in the cluster.
Splunk APIport: Default: 8089
Port on Splunk to which ThreatStream Link will make an APIconnection to

download the ThreatStream content.
Splunk APIuser: User name ThreatStream Link will use to connect to Splunk to make the
APIconnection.

Installation Guide
Setting Description
Splunk Password associated with the specified user.

APIpassword:
Splunk APIpath: Default: /servicesNS/nobody/DA-ESS-

ThreatIntelligence/storage/collections/data
Location on the Splunk server where threat intelligence will be downloaded.

of entries

of entries each
Maximum number of indicators that will be downloaded each time.
upload
Note: Anomali recommends using the default value for optimal

performance.

Installation Guide
Syslog
You must configure these settings if you enter "syslog" as the response for "Which product(s) would
Setting Description
Syslog Name or IPaddress of the host to which ThreatStream intelligence will be downloaded.
host:
Syslog Default: 514

port:
Port on the Syslog host to which ThreatStream Link will connect to download the
ThreatStream intelligence.
Syslog Default: local0

facility:

Installation Guide
Tanium
Threat intelligence from ThreatStream to Tanium IOCFunnel and IOCDetect contains IP, domain, and
MD5-based indicators.
You must configure these settings if you enter "tanium" as the response for "Which product(s) would
Setting Description
Tanium 6.2 or 6.5

version:
Default: 6.5
Version of Tanium server to which you are integrating
Tanium For 6.5, Default: 443 For 6.2, Default: 5443

IOC Detect
Port for making the RESTAPIcall to the Tanium EndPoint Platform server (for 6.5) or
port: (for
the IOCFunnel (for 6.2).
6.5)
Tanium
IOC Funnel
port: (for
6.2)
Tanium Host name or IPaddress of Tanium server (for 6.5) or the IOCFunnel (for 6.2).
hostname:
Tanium User name for connecting to the Tanium server (for 6.5) or the IOC Funnel (for 6.2).
user:
Tanium Password for the above user.

password:
Tanium Default: ThreatStream

group
IOC Detect group name under which all indicators from ThreatStream will be placed.
name:
Certain special characters are not allowed in the group name. The configuration wizard
(required
will prompt you to re-enter the name if the name contains a character that is not
for 6.5 only)
acceptable.

Installation Guide
Setting Description
Maximum Default: 50
number of
Maximum number of indicators that will be downloaded. The indicators are
indicators:
downloaded automatically based on the schedule you specify during the ThreatStream
Link installation.
For Tanium 6.2, you must upload the indicators from the IOC Funnel to the Tanium
server based on your need.
Note: When ThreatStream Link updates threat indicators on Tanium IOCFunnel or

IOCDetect, the existing ThreatStream indicators are removed and replaced with the
latest ones.
Tags Specify the tags that must be associated with an indicator for it to be downloaded.
associated
The tags are set on the ThreatStream platform and are strings that are associated with
with
an indicator for additional context.
indicators
The IOC Funnel and IOCDetect impose a limit on the number of indicators that can be
forwarded to it. By tagging indicators (in ThreatStream) that you are most interested in,
you can limit the number of indicators that get forwarded to them. Use a combination
of Tags and ThreatStream Link filtering to pare down the number of indicators that will
be forwarded.
Filter Criteria by which threat intelligence will be filtered to the destination. If you do not want
expression to use a filter, leave this field blank. Example: modified_ts > -14d.
for this
destination:

Appendix C: Fields for Filtering
This appendix lists and describes the fields available for filtering and the operators that can be used on
ThreatStream Link.
Field Operators
The following table lists the operators available for each field type.
Field Type Operators
String =, !=, contains, startswith, endswith, ~, !~
Note: ~ is a regex match operator. Use this operator in conjunction with the type
fields to find specific indicators. For example, value ~
".*maliciousdomain.com$" AND type=domain, will match the indicators
whose itype ends with maliciousdomain.com
Numeric =, !=, <, <=, >, >=
Date =, !=, <, <=, >, >=
Simple expressions (queries) can be joined using logical operatorsAND, OR, NOTto form
complex expressions.
Fields
This section lists the fields that you can use for defining source and destination filters for ThreatStream
Link and the values that can be associated with these fields.
Follow these guidelines when using these fields to create filters:
l Field names, operator names, and values are case sensitive.
l Not all fields available on ThreatStream are supported for ThreatStream Link filters.
To configure a source filter or destination filter onThreatStream Link, use the fields listed in the
first column (5.1 and later Field) of the following table. All fields except feed_group in a
destination filter can be used.
l If you have a pre-existing source filter that was configured prior to ThreatStream Link version 5.1,
the source filter is based the fields listed in the second column (Pre-v5.1 Field) because the fields in

Installation Guide
the first column (5.1 and laterField) were not supported then. Source filters based on the second
column continue to work with all releases of ThreatStream Link and do not need to be migrated.
However, if you are configuring a new source filter, Anomali recommends that you use the
fields listed in the first column, 5.1 (and later) Field.
l When creating a new source filter, do not mix the fields from the first and second columns. Doing
so may result in unexpected behavior.
l If you need to modify an existing source filter, rewrite it using the new fields.
Pre-v5.1 Field
5.1 (and (for backward
later)Field compatibility) Type Description
asn asn String The Autonomous System Number (ASN) for

the IPassociated with the indicator.
classification classification String Indicates whether an IOC is private or from a

public feed and available publicly.
Possible values: private, public
confidence confidence Numeric Risk score from 0 to 100, assigned by

ThreatStream's predictive analytics
technology to indicators.
country country String Two-letter ISOcountry code for the

IPassociated with the indicator. For example,
US, CN, DE, and so on.
created_ts date_first Date Time stamp of when the indicator was first
created in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,

where T denotes the start of the value for
time. For example, 2014-10-02T20:44:35.
l As a relative time unit, in this format: -

<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW.

Installation Guide
Pre-v5.1 Field
modified_ts date_last Date Time stamp of when the indicator was last
updated in ThreatStream.
Date can be specified as follows:
l In this format: YYYY-MM-DDThh:mm:ss,

where T denotes the start of the value for
time. For example, modified_ts > 2014-10-
02T20:44:35.
l As a relative time unit, in this format: -

<n><unit>, where n is a whole number and
unit is w, d, h, m, s (for week, days, hour,
minutes, and seconds, respectively). For
example, -2w denotes two weeks, starting
NOW. The following example shows how
you will use this field in a filter: modified_ts
> -14d.
tags detail String Additional comments and context associated

with the indicator when it was imported from its
original threat feed.
Note: Because this field can contain multiple

values, when specifying this field in a filter,
make sure you either specify all of those
values, separated by commas, in the order
they appear in the Optic UI, or use the
startswith operator to specify the beginning of
a value you are looking for. For example, to
look for "phish-target,victim-hi-tech", specify
detail ="phish-target,victim-hi-tech", or detail
startswith phish, or detail startswith victim.
value domain String Pre-5.1: Domain indicator type and its value.
For example, domain="maliciousdomain.com".
5.1 and later: Specifies the value of an

indicator, whose type is specified by the "type"
field. For example, to match domains that
contain the word "domain", specify the
following in the filter: value ~ "malicious.*"
AND type=domain

Installation Guide
Pre-v5.1 Field
value email String Pre-5.1: Email indicator type and its value. For
example, email="foo@maliciousdomain.com".

field.
feed_group feed_group String Name of the group or industry associated with

the indicator. For example, healthcare,
government, financial.
Possible values: behavioral, education,

financial, government, energy, healthcare,
spam, hitech, retail.
import_ import_session_ Numeric ID of the import session that created the

session_id id indicator on ThreatStream.
itype itype String Indicator type. For example, c2_ip,

compromised_email, apt_md5, and so on.
See "Fields for Filtering" on page 75.
lat lat Numeric Latitude associated with the Geo location of

the IP.
lon lon Numeric Longitude associated with the Geo location of

the IP.
maltype maltype String Information regarding a malware family, a

CVEID, or another attack or threat, associated
with the indicator.
value md5 String Pre-5.1: MD5 indicator type and its value. For
example,
md5="1525efe350bc16bec22ebae99722798a".

field.
org org String Organization that owns the IPaddress

associated with the indicator. For example,
Comcast, Amazon, and so on.
severity severity String Criticality associated with the threat feed that
supplied the indicator.
Possible values: low, medium, high, very-high

Installation Guide
Pre-v5.1 Field
source NONE String Source name associated with the indicator.

The source field contains a string label that
identifies the source of the indicator to
ThreatStream. It may contain a user's email
address, a company name, domain name, and
so on. This field can help you filter out
indicators imported by a specific source, such
as your organization. For example,
source="@mycompany.com".
stream_id source_feed_id Numeric ID of the threat feed that created the indicator
on ThreatStream.
value srcip String Pre-5.1: IP address indicator type and its

value. For example, srcip=192.168.0.10.

field.
status state String Current state of the indicator.
Possible values: active, inactive, falsepos
type NONE String Data type of the indicator.
value url String Pre-5.1: URLindicator type and its value. For
example, url="http://www.google.com".

field.

Appendix D: Supported Indicator Types
for Integration Destinations
This appendix lists the indicator types that are supported (and relevant) for each ThreatStream Link
integration destination.
Destination Indicator Types
AccelOps Domain, IP, URL
ArcSight ESM Domain, Email, IP, MD5, URL
CarbonBlack Domain, IP, MD5
CEF Domain, Email, IP, MD5, URL
ClouderaImpala Domain, Email, IP, MD5, URL
CrowdStrike Domain, IP, MD5
CSV Domain, Email, IP, MD5, URL
Hadoop Hive Domain, Email, IP, MD5, URL
Infoblox Domain
LogRhythm Domain, Email, IP, MD5, URL
NitroSecurity Domain, Email, IP, MD5, URL
Palo Alto IP
Networks
QRadar Domain, Email, IP, MD5, URL
QRadar API Domain, Email, IP, MD5, URL
RSA Domain, Email, IP, MD5, URL
Splunk App Domain, Email, IP, MD5, URL
Splunk Add-On Domain, IP, URL
Syslog Domain, Email, IP, MD5, URL
Tanium IP, Domain, MD5

Installation Guide
Appendix D: Supported Indicator Types for Integration Destinations

Appendix E: Indicator Types
The following table lists all available indicator types.
Indicator Type Name Example Description
actor_ip Actor IP itype="actor_ip" IPaddress associated

with a system involved
in malicious activity.
actor_ipv6 Actor IPv6 itype="actor_ipv6" IPv6address

associated with a
system involved in
malicious activity.
adware_domain Adware Domain itype="adware_ A domain name

domain" associated with
adware or other
Potentially Unwanted
Applications (PUA).
anon_proxy Anonymous Proxy IP itype="anon_proxy" IP address of the

system on which
anonymous proxy
software is hosted.
anon_proxy_ipv6 Anonymous Proxy itype="anon_proxy_ IPv6 address of the

IPv6 ipv6" system on which
anonymous proxy
software is hosted.
anon_vpn Anonymous VPNIP itype="anon_vpn" IP address associated

with commercial or free
Virtual Private
Networks (VPN).
anon_vpn_ipv6 Anonymous itype:"anon_vpn_ipv6" IPv6 address

associated with
commercial or free
Virtual Private
Networks (VPN).

Installation Guide
apt_domain APTDomain itype=" apt_domain" Domain name

associated with a
known Advanced
Persistent Threat
(APT) actor used for
command and control,
launching exploits, or
data exfiltration.
apt_email APTEmail itype="apt_email " Email address used by

a known Advanced
Persistent Threat
(APT) actor for sending
targeted, spear
phishing emails.
apt_ip APTIP itype="apt_ip " IP address associated

with known Advanced
Persistent Threat
(APT) actor for
data exfiltration, or
targeted exploitation.
apt_ipv6 APT IPv6 itype="apt_ipv6" IPv6 address

associated with known
Advanced Persistent
Threat (APT) actor for
data exfiltration, or
targeted exploitation.
apt_md5 APT MD5 File Hash itype="apt_md5 " MD5 hash of a

malware sample used
by a known Advanced
Persistent Threat
(APT) actor.
apt_subject APT Subject Line itype="apt_subject " Email subject line used
by a known Advanced
Persistent Threat
(APT) actor.
apt_ua APT User Agent itype="apt_ua " User agent string used
by a known Advanced
Persistent Threat
(APT) actor.

Installation Guide
apt_url APTURL itype=" apt_url" URL used by a known

Advanced Persistent
Threat (APT) actor for
launching web based
exploits, or data
exfiltration.
bot_ip Infected Bot IP itype="bot_ip" IP address of an

infected machine
acting as an
autonomous bot.
bot_ipv6 Infected Bot IPv6 itype="bot_ipv6" IPv6 address of an

infected machine
acting as an
autonomous bot.
brute_ip Brute Force IP itype="brute_ip" IP address associated

with password brute
force activity.
brute_ipv6 Brute Force IPv6 itype="brute_ipv6" IPv6 address

associated with
password brute force
activity.
c2_domain Malware C&C Domain itype="c2_domain" Domain name used by

Name malware for command
and control
communication.
c2_ip Malware C&C IP itype="c2_ip" IP address used by

Address malware for command
and control
communication.
c2_ipv6 Malware C&C IPv6 itype="c2_ipv6" IPv6 address used by

Address malware for command
and control
communication.
c2_url Malware C&C URL itype="c2_url" URL used by malware

for command and
control communication.

Installation Guide
compromised_domain Compromised Domain itype="compromised_ Domain name of

domain " website or server that
has been
compromised.
compromised_email Compromised Account itype="compromised_ Email address that has

Email email " been compromised
and/or taken over by a
threat actor.
compromised_ip Compromised IP itype="compromised_ IP address of website

ip " or server that has been
compromised.
compromised_ipv6 Compromised IPv6 itype="compromised_ IPv6 address of

ipv6" website or server that
has been
compromised.
compromised_url Compromised URL itype="compromised_ URL of the website or

url" server that has been
compromised.
ddos_ip DDOS IP itype="ddos_ip " IP address associated

with Distributed Denial
of Service (DDoS)
attacks.
ddoz_ipv6 DDOS IPv6 itype="ddos_ipv6" IPv6 address

associated with
Distributed Denial of
Service (DDoS)
attacks.
dyn_dns Dynamic DNS itype="dyn_dns " Domain name used for

hosting Dynamic DNS
services.
exfil_domain Data Exfiltration itype="exfil_domain" Domain name

Domain associated with the
infrastructure used for
data exfiltration.
exfil_ip Data Exfiltration IP itype="exfil_ip" IP address used for

data exfiltration.
exfil_url Data Exfiltration URL itype="exfil_url" URL used for data

exfiltration.

Installation Guide
exploit_domain Exploit Kit Domain itype="exploit_domain" Domain name

associated with the
web server hosting an
exploit kit or launching
web-based exploits.
exploit_ip Exploit Kit IP itype="exploit_ip" IP address associated

with the web server
hosting an exploit kit or
launching web-based
exploits.
exploit_ipv6 Exploit Kit IPv6 itype="exploit_ipv6" IPv6 address

associated with the
web server hosting an
exploit kit or launching
web-based exploits.
exploit_url Exploit Kit URL itype="exploit_url" URL used for launching

web-based exploits.
geolocation_url IP Geolocation URL itype="geolocation_url" URL that can be used

to provide IP Geo
location services.
hack_tool Hacking Tool itype="hack_tool " MD5 hash of general

hacking software tools
used by threat actors.
i2p_ip I2P IP Address itype="i2p_ip" IPaddress observed to

be connecting to the
I2P (Invisible Internet
Project) network.
i2p_ipv6 I2P IPv6 Address itype="i2p_ipv6" IPv6address observed

to be connecting to the
I2P (Invisible Internet
Project) network.
ipcheck_url IP Check URL itype="ipcheck_url " URL that can be used

to provide IP checking
services, such as
echoing the Internet
facing IP address of
the client.

Installation Guide
mal_domain Malware Domain itype="mal_domain " Domain contacted by

malware sample; could
be for command and
control commands, or
to check if the client is
online.
mal_email Malware Email itype="mal_email " Email address used to

send malware through
malicious links or
attachments.
mal_ip Malware C&C IP itype="mal_ip " IP address contacted

by malware sample;
could be for command
and control commands,
or to check if the client
is online.
mal_ipv6 Malware C&C IPv6 itype="mal_ipv6 " IPv6 address

contacted by malware
sample; could be for
command and control
commands, or to check
if the client is online.
mal_md5 Malware MD5 File itype="mal_md5 " MD5 hash of malware

Hash sample.
mal_ua Malware User Agent itype="mal_ua " User agent string used
by malware sample
when communicating
via HTTP.
mal_url Malware URL itype="mal_url " URL contacted by

malware sample when
run on an infected host.
p2pcnc Peer-to-Peer C&C IP itype="p2pcnc" IP addressed

Address associated with a peer-
to-peer command and
control infrastructure.
parked_domain Parked Domain itype="parked_ A domain name of a

domain" website that is
currently parked.

Installation Guide
parked_ip Domain Parking IP itype="parked_ip" An IP addressed used

for parking newly
registered or inactive
domain names.
parked_ipv6 Domain Parking IPv6 itype="parked_ipv6" An IPv6 addressed

used for parking newly
registered or inactive
domain names.
parked_url Parked URL itype="parked_url" A URL of a website

that is currently parked.
pastesite_url Paste Site URL itype="pastesite_url" A URL that can be

used for sharing pastes
or text content
anonymously.
phish_domain Phishing Domain itype="phish_domain " A domain used to

perform phishing or
spear phishing attacks
or contained in a
phishing email.
phish_email Phishing Email itype="phish_email " An email address

Address associated with
sending phishing or
spear phishing emails
to victims.
phish_ip Phishing IPAddress itype="phish_ip" IP Address that has

been used to perform
phishing or spear
phishing or is contained
in a phishing email.
phish_ipv6 Phishing IPv6Address itype="phish_ipv6" IPv6 Address that has

been used to perform
phishing or spear
phishing or is contained
in a phishing email.
phish_url Phishing URL itype="phish_url " A URL used to perform

phishing or spear
phishing attacks or
contained in a phishing
email.

Installation Guide
proxy_ip Open Proxy IP itype="proxy_ip " IP address hosting

open or anonymous
proxy software. Allows
user to hide their IP
address from target.
proxy_ipv6 Open Proxy IPv6 itype="proxy_ipv6 " IPv6 address hosting

open or anonymous
proxy software. Allows
user to hide their IP
address from target.
scan_ip Scanning IP itype="scan_ip" IP address observed to

perform port scanning
and vulnerability
scanning activities.
scan_ipv6 Scanning IPv6 itype="scan_ipv6" IPv6 address observed

to perform port
scanning and
vulnerability scanning
activities.
sinkhole_domain Sinkhole Domain itype="sinkhole_ A domain name that

domain " researchers or security
companies typically
sinkhole.
sinkhole_ip Sinkhole IP itype="sinkhole_ip " An IP address that is

known to be used to
sinkhole malicious
domain names.
sinkhole_ipv6 Sinkhole IPv6 itype="sinkhole_ipv6 " An IPv6 address that is

known to be used to
sinkhole malicious
domain names.
spam_domain Spam Domain itype="spam_domain" A malicious domain

name contained in the
SPAM email
messages.
spam_email Spammer Email itype="spam_email" Email address that has

Address been observed sending
SPAM emails.

Installation Guide
spam_ip Spammer IP itype="spam_ip " An IP address that is

known to send SPAM
emails.
spam_url Spam URL itype="spam_url" A malicious URL

contained in the SPAM
email messages.
span_ipv6 Spammer IPv6 itype="spam_ipv6 " An IPv6 address that is

known to send SPAM
emails.
speedtest_url Speed Test URL itype="speedtest_url" A URL that can be

used to before internet
speed tests or
bandwidth
measurements of the
client's network
connection.
ssh_ip SSH Brute Force IP itype="ssh_ip " IP addresses

associated with SSH
brute force attempts.
ssh_ipv6 SSH Brute Force IPv6 itype="ssh_ipv6 " IPv6 addresses

associated with SSH
brute force attempts.
suppress Suppress itype="suppress " Not a true iType. Used

by Arcsight for
suppressing false
positives.
suspicious_domain Suspicious Domain itype="suspicious_ A domain name that

domain" appears to be
registered for suspect
reasons, but may not
be associated with
known malicious
activity yet.
tor_ip TORNode IP itype="tor_ip " An IP address

operating as part of The
Onion Router (TOR)
Network, also know as
a TOR exit node.

Installation Guide
tor_ipv6 TORNode IPv6 itype="tor_ipv6 " An IPv6 address

operating as part of The
Onion Router (TOR)
Network, also know as
a TOR exit node.
torrent_tracker_url Torrent Tracker URL itype="torrent_tracker_ A URL used for

url" tracking bittorrent file
transfer activity.
vpn_domain Anonymous itype="vpn_domain" A domain name

VPNDomain associated with
commercial or free
Virtual Private
Networks (VPN).
vps_ip Cloud Server IP itype="vps_ip " An IP address that is

used for hosting Virtual
Private Servers (VPS)
or other server rentals.
vps_ipv6 Cloud Server IP itype="vps_ipv6 " An IPv6 address that is

used for hosting Virtual
Private Servers (VPS)
or other server rentals.

Appendix F: SSH Key Pair Generation
This appendix describes how to create an SSH key pair needed for a remotely installed ThreatStream
Link to communicate with security products.
Generating SSHKey Pair

On the system where ThreatStream Link is installed:
1. Enter this command to generate a public key:
ssh-keygen -t RSA
2. Follow the wizard as shown in the following example:
3. Enter this command to copy the public key you just created:
cat ~/.ssh/id_rsa.pub
4. Copy the key starting at the ssh-rsa until the end of the single line. Make sure that you copy the
entire line.
Creating an Authorization Key on the

Destination Server
Follow this procedure to create a new authorization key on the destination server.

Installation Guide
Appendix F: SSH Key Pair Generation
1. SSH to the server using a user name and password.
2. Enter these commands:
mkdir ~/.ssh
chmod go-rwx .ssh
echo <the key you copied in the previous procedure> >> ~/.ssh/authorized_keys
chmod g-w ~/.ssh/authorized_keys
The authorization key is stored in the file, authorized_keys.

Send Documentation Feedback
If you have comments about this document, you can contact the documentation in these ways:
l Click contact the documentation team to send an email. If you have an email client configured on
this system, an email window will open with the following information in the subject line:
Feedback on (ThreatStream Link 5.3.5)
l Send your feedback to support@anomali.com.
Thank you for your feedback!

Anomali ThreatStream

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Anomali ThreatStream

Hochgeladen von

Copyright:

Verfügbare Formate

Anomali ThreatStream Link

November 16, 2016

11/16/2016 5.3.5 5.3.5 release.

10/12/2016 5.3.4 5.3.4 release.

8/31/2016 5.3.3 5.3.3 release.

8/12/2016 5.3.2 5.3.2 release.

7/27/2016 5.3.1 5.3.1 release.

6/30/2016 5.3 5.3 release.

4/18/2016 5.2.2 5.2.2 release. Bug fixes only.

3/20/2016 5.2.1 5.2.1 release.

1/14/2016 5.2 5.2 release.

12/16/2015 5.1.3 5.1.3 release.

10/28/2015 5.1.2 Added support for Windows

10/7/15 5.1.1 5.1 Patch release.

8/12/15 5.1 5.1 release.

Anomali ThreatStream Link (5.3.5) Page 2 of 94

Chapter 2: Installing and Upgrading ThreatStream Link 8

Chapter 3: Configuring Filters 26

Appendix A: ThreatStream Link Integrations 29

Anomali ThreatStream Link (5.3.5) Page 3 of 94

Appendix C: Fields for Filtering 75

Appendix D: Supported Indicator Types for Integration Destinations 80

Appendix E: Indicator Types 82

Appendix F: SSH Key Pair Generation 92

Send Documentation Feedback 94

Anomali ThreatStream Link (5.3.5) Page 4 of 94

About Integrating With ThreatStream Appliance 6

Anomali ThreatStream Link (5.3.5) Page 5 of 94

About Integrating With ThreatStream

Anomali ThreatStream Link (5.3.5) Page 6 of 94

each integration destination.

Product Class Product

SIEM ArcSight ESM

Bro_intel (in beta)

Firewalls Palo Alto Networks

Endpoint Security Carbon Black, Tanium, CrowdStrike

Hadoop Cloudera Impala, Hadoop Hive

Anomali ThreatStream Link (5.3.5) Page 7 of 94

About Installing ThreatStream Link 8

About Upgrading ThreatStream Link 8

Downloading ThreatStream Link 10

Installing ThreatStream Link on Linux 11

Installing ThreatStream Link on Windows 17

Starting and Stopping ThreatStream Link Service 23

Rerunning ThreatStream Link Setup 24

Uninstalling ThreatStream Link 24

About Installing ThreatStream Link

About Upgrading ThreatStream Link

Anomali ThreatStream Link (5.3.5) Page 8 of 94

l SUSE Linux Enterprise 12

Windows (64-bit or l Server 2003

l For using ThreatStream Link with the ThreatStream appliance:

ThreatStream Link Source/Destination Linux Windows

If the source for ThreatStream Link is...

Optic Appliance (source) Yes Yes

If the destination for ThreatStream Link is...

Anomali ThreatStream Link (5.3.5) Page 9 of 94

ThreatStream Link Source/Destination Linux Windows

AccelOps Yes Yes

ArcSight ESM Yes Yes

Carbon Black Yes Yes

Bro_intel Yes Yes

Cloudera Impala Yes No

CrowdStrike Yes Yes