Publisher: Flashpoint
Connector Version: 2.0.0
Product Vendor: Flashpoint
Product Name: Flashpoint
Product Version Supported (regex): ".*"
Minimum Product Version: 5.5.0

This app implements the investigative actions for the Flashpoint on the Phantom Platform

The asset configuration parameters affect [test connectivity] and all the other actions of the application. Below are the explanation and usage of all those parameters.

• Base URL - The URL to connect to the Flashpoint server.
• API Token - The API token of the user.
• Retry Wait Period (in seconds) - The value of this parameter defines the waiting period in seconds for which to hold the current execution of the action on receiving the “500 Internal Server Error” and then, retry the same API call after the waiting period is exhausted. This ensures that the integration provides a mechanism of attempting to overcome the intermittent “500 Internal Server Error”. It allows only non-zero positive integer values as input. The default value is 5 seconds.
• Number Of Retries - The value of this parameter defines the number of attempts for which the action will keep on retrying if the Flashpoint API continuously returns the “500 Internal Server Error”. If the intermittent error gets eliminated before the number of retries gets exhausted, then, the action execution will continue along its workflow with the next set of API calls and if the intermittent error is still persistent and all the number of retries are exhausted, then, the action will fail with the latest error message being displayed. It allows only zero or positive integer values as input. The default value is 1 retry.
• Session Timeout - This is an optional asset configuration parameter. The value of this parameter will be used as the session timeout value in the ‘Get Compromised Credentials’ and ‘Run Query’ actions while using the session scrolling pagination. The default value is 2 minutes and the maximum allowed value is 60 minutes.

1. Go to Flashpoint .
2. Select APIs & Integrations from the left side panel.
3. Under the FLASHPOINT API section, select Manage API Tokens .
4. Click on the GENERATE TOKEN .
5. Enter a Token Label and your current FPTools credentials in the Username and Password fields in the appeared Generate API Token prompt.
6. Click on the GENERATE button.
7. This will generate a new API token and will display it in the GENERATE API TOKEN section on the page.

  Note- Save your generated API token somewhere secure, as you will no longer be able to retrieve this key after leaving this page.

1. Test Connectivity (Action Workflow Details)

   • This action will test the connectivity of the Phantom server to the Flashpoint instance by making an initial API call to the Indicators API using the provided asset configuration parameters.
   • The action validates the provided asset configuration parameters. Based on the API call response, the appropriate success and failure message will be displayed when the action gets executed.

2. List Indicators

   • Action Parameter ​ - Attribute Types

     • This parameter enables search by attribute types. It is an optional action parameter. It supports the comma-separated list of attribute types values. Each value from the provided comma-separated list must correspond to one of the MISP types, a list of which can be found here .
     • Examples:
       • Get recent md5, sha1, or source IP indicators
         • Attribute Types = md5,sha1,ip-src

   • Action Parameter ​ - Query

     • This parameter will be used for free text searching. It is an optional parameter. You can also provide different queries to filter out indicators results.
     • Examples:
       • Filtering results based on the field value
         • Query = category:”Payload Delivery”
       • Free text search(when using multiple words, use a + instead of space, and for specific word search use “test text” (inverted double quotes) in the query action parameter.)
         • Query = gandcrab+ransomware
         • Query = “test text”

   • Action Parameter - Limit

     • This parameter is used to limit the number of indicator results. The default value is 500. If the limit is not provided, it will fetch by default 500 indicator results.

   • Notes - The user will have to provide URL value in the "Attribute Types" action parameter and the URL value enclosed in double-quotes in the "Query" parameter if they want to search for an IoC having a specific URL value. This does not work correctly if the user provides the URL value without double-quotes in the "Query" parameter. This is based on the current API behavior of the Flashpoint.

3. Search Indicators

   • Action Parameter ​ - Attribute Type and Attribute Value

     • These parameters are required parameters. They will be used to retrieve specific indicator results based on the provided values.
     • Examples:

       • Get indicator matching a specific hash value

         • Attribute Type = md5 (any of md5,sha1,sha256, etc.)
         • Attribute Value= 16139ce9025274a388a4281fef65049e

       • Get indicator matching a specific filename

         • Attribute Type = filename
         • Attribute Value= "PLEASE-CHECK”

         Note - In the above example, without the double quotes around the filename, it will search for every filename that matches 'PLEASE'. The hyphen/space will be considered as the end of the search value and it will search for indicators matching the value until the first encountered hyphen/space.

       • Get indicator matching a specific source IP Address

         • Attribute Type = ip-src
         • Attribute Value = 111.255.198.92

       • Get indicator matching a specific URL value

         • Attribute Type = url
         • Attribute Value= http://ww1.gadmobs.com/?subid1=bf5b0786-272c-11e9-b8c7-e15edf920d61

         Note - Internally, this URL value passed within the inverted comma(for ad-hoc fixation) in the request parameters. Because without the inverted comma, the server responded with the Internal Server Error unnecessarily.

   • Action Parameter ​ - Limit

     • This parameter is used to limit the number of indicator results. The default value is 500. If the limit is not provided, it will fetch by default 500 indicator results.

   • Notes - This action is not working with the valid value of IoC type which consists of pipe symbol(|) in its name. In case of searching the IoC of that type, you can use [run query] or [list indicators] actions by providing an appropriate query in the "Query" action parameter. Below are the examples:

     For [run query] action :

     Search for IoC value which consists of pipe symbol(|) in the IoC attribute type

     • Usage :

     • Query = +basetypes:indicator_attribute +type:"<ioc_type>" +value.\*:<ioc_value>

     • Example :

     • Query = +basetypes:indicator_attribute +type:"ip-dst|port" +value.\*:5.79.68.110|80

     For [list indicators] action :

     Search for IoC value which consists of pipe symbol(|) in the IoC attribute type

     • Usage :

     • Attribute Types = <ioc_type>

     • Query = +value.\*:<ioc_value>

     • Example :

     • Attribute Types = ip-dst|port

     • Query = +value.\*:"5.79.68.110|80"

4. List Reports

   • Action Parameter ​ - Limit

     • This is an optional parameter. It is used to limit the number of fetched intelligence reports. The default value is 500. If the limit is not provided, it will fetch by default 500 intelligence reports.

     Note - Based on the current API analysis, the endpoint for this action fetches a huge set of data. Hence, the action run might take more time for a larger limit value.

5. Get Report

   • Action Parameter ​ - Report ID
     • This is a required parameter. It is a Flashpoint intelligence report ID.
     • Examples:
       • Fetch an intelligence report having the provided report ID value
         • Report ID = wrh9BCZETzu3AO3CUopOlw

6. List Related Reports

   • Action Parameter ​ - Report ID

     • This is a required parameter. It is a Flashpoint intelligence report ID.
     • Examples:
       • Fetch default 500 related intelligence reports for the provided report ID
         • Report ID = wrh9BCZETzu3AO3CUopOlw
         • Limit = Keep it empty

   • Action Parameter ​ - Limit

     • This is an optional parameter. It is used to limit the number of fetched intelligence reports. The default value is 500. If the limit is not provided, it will fetch by default 500 intelligence reports.

     Note - Based on the current API analysis, the endpoint for this action fetches a huge set of data. Hence, the action run might take more time for a larger limit value.

7. Get Compromised Credentials

   • Action Parameter ​ - Filter

     • This parameter will be used for filtering the data of credentials sightings on the Flashpoint instance. It is an optional parameter. If not given, it will get all the compromised credentials. A few sample values of the filter action parameter are listed below.
       • +is_fresh:true (search for only new credential sightings)
       • +breach.first_observed_at.date-time:[now-30d TO now] (search for credential sightings which are discovered in the last month based on the date provided from the source of this credential sightings data)
       • +breach.fpid:nIbeDs_VXyKedBmuhFEaGQ (search for all credential sightings in a Breach)
       • +email:username (search for a username)
       • +email.keyword:[email protected] (search for an email address)
       • +domain.keyword:domain.com (search for credentials sightings data of a particular domain)
     • Examples:
       • Search for credential sightings of the given domain and that are discovered in the last month based on the date provided from the source of this credential sightings data
         • Filter = +domain.keyword:domain.com+breach.first_observed_at.date-time:[now-30d TO now]
       • Search for credential sightings of the given domain and that are discovered in the last month based on the date of indexing of the data into the Flashpoint server
         • Filter = +domain.keyword:domain.com+header_.indexed_at:[now-30d TO now]
       • Search for credential sightings which are discovered in the last month based on the date of indexing of the data into the Flashpoint server
         • Filter = +header_.indexed_at:[now-30d TO now]
       • Search for credential sightings which are discovered in between the provided timestamps based on the date provided from the source of this credential sightings data
         • Filter = +breach.first_observed_at.timestamp:[1234567890 TO 1234567890]
     • Usage:

       • For making filter parameter value

         • Query= +basetypes:credential-sighting<filter>

         Here, the filter is any supported values by the search API endpoint.

   • Action Parameter ​ - Limit

     • This parameter is used to limit the number of fetched compromised credentials. The default value is 500. If the limit is not provided, it will fetch by default 500 compromised credentials. The internal pagination logic for fetching a large number of compromised credentials implements the scrolling session-based Credentials All Search APIs.

8. Run Query

   • Action Parameter ​ - Query

     • This parameter will be used to search across all fields in the marketplace data by appending terms to it or limit searches to individual fields by appending <field name>:<value> to the ‘Query’ parameter. The queries supported by action are listed below.
       • Credential breach queries (+basetypes:breach)
       • CVE queries (+basetypes:cve)
       • Card queries (+basetypes:card)
       • Paste queries (+basetypes:paste)
       • Chat queries (+basetypes:generic-product)
       • Indicator attribute queries (+basetypes:indicator_attribute)
       • Credential sightings queries (+basetypes:credential-sighting)
       • Vulnerability queries (+basetypes:vulnerability)
       • Conversation queries (+basetypes:conversation)
       • Chan queries (+basetypes:chan)
       • Blog queries (+basetypes:blog)
       • Reddit queries (+basetypes:reddit)
       • Forum queries (+basetypes:forum)
     • Examples:
       • Search for "Analyst Research" breaches
         • Query= +basetypes:breach+source_type:"Analyst Research"
       • Search for "testing" across all free-form fields (message body, channel profile, channel name, and user name) for chat queries
         • Query = +basetypes:chat+testing
       • Search for credential sightings of the given domain and that are discovered in the last month based on the date provided from the source of this credential sightings data
         • Filter = +basetypes:credential-sighting+domain.keyword:domain.com+breach.first_observed_at.date-time:[now-30d TO now]
       • Search for all search results which are discovered in the last month based on the date of indexing of the data into the Flashpoint server
         • Filter = +header_.indexed_at:[now-30d TO now]
       • Filter all search results by ISO date/time range based on the date provided from the source of this search data
         • Query = +created_at.date-time:["2018-10-24T10:05:10+00:00" TO "2018-10-26T10:05:10+00:00"]
       • Filter results by Unix time for all paste results based on the date provided from the source of this paste search data
         • Query = +basetypes:paste+created_at.timestamp:[1234567890 TO 1234567890]
     • Usage:

       • For making query parameter value

         • Query= <basetypes_query><search_filter>

         Here, basetypes_query and search_filter are any supported values by the search API endpoint.

   • Action Parameter ​ - Limit

     • This parameter is used to limit the number of fetched all search data. The default value is 500. If the limit is not provided, it will fetch by default 500 search items. The internal pagination logic for fetching a large number of search items implements the scrolling session-based All Search APIs.

The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Flashpoint asset in SOAR.

test connectivity - Validate the asset configuration for connectivity using supplied configuration
list reports - Fetch a list of all the intelligence reports from the Flashpoint Platform
get report - Fetch a specific intelligence report from the Flashpoint Platform for the provided report ID
list related reports - Fetch a list of all the related intelligence reports from the Flashpoint Platform for the provided report ID
get compromised credentials - Fetch a list of all the Credential Sightings from the Flashpoint Platform
run query - Fetch the data by performing a universal search from the Flashpoint Platform
list indicators - Fetch a list of IoCs that occur in the context of an event from the Flashpoint Platform
search indicators - Fetch an IoC value of a specific attribute type from the list of available IoCs on the Flashpoint Platform

Validate the asset configuration for connectivity using supplied configuration

Type: test
Read only: True

No parameters are required for this action

No Output

Fetch a list of all the intelligence reports from the Flashpoint Platform

Type: investigate
Read only: True

Fetch a specific intelligence report from the Flashpoint Platform for the provided report ID

Type: investigate
Read only: True

Fetch a list of all the related intelligence reports from the Flashpoint Platform for the provided report ID

Type: investigate
Read only: True

Fetch a list of all the Credential Sightings from the Flashpoint Platform

Type: investigate
Read only: True

Fetch the data by performing a universal search from the Flashpoint Platform

Type: investigate
Read only: True

PGPxKeyxPublic -----END PGP PUBLIC KEY BLOCK----- action_result.data.*._source.site_actor.post_reputation.number_of_upvotes | numeric | | 1 action_result.data.*._source.site_actor.reputation.count_ratings | string | | 50 action_result.data.*._source.site_actor.reputation.negative_feedback | string | | -1 action_result.data.*._source.site_actor.reputation.positive_feedback | string | | 0 action_result.data.*._source.site_actor.reputation.score | string | | 100 action_result.data.*._source.site_actor.reputation.site_actor_rating | string | | Level 1 action_result.data.*._source.site_actor.roles.*.id | string | | 276516314170916864 action_result.data.*._source.site_actor.roles.*.name | string | | @everyone action_result.data.*._source.site_actor.sales.total_transactions | numeric | | 5000 action_result.data.*._source.site_actor.server.created_at.date-time | string | | 2017-02-02T00:57:06.723000+00:00 action_result.data.*._source.site_actor.server.created_at.raw | string | | 1485997026.723 action_result.data.*._source.site_actor.server.created_at.timestamp | numeric | | 1485997026 action_result.data.*._source.site_actor.server.fpid | string | | 1xVN9lLjUPC7SMwbLv_0RQ action_result.data.*._source.site_actor.server.icon_url | string | | https://testdomainlink.com/icons/1234.jpg action_result.data.*._source.site_actor.server.is_deleted | boolean | | True False action_result.data.*._source.site_actor.server.last_observed_at.date-time | string | | 2020-01-08T17:42:10.080020+00:00 action_result.data.*._source.site_actor.server.last_observed_at.raw | string | | 1578505330.08002 action_result.data.*._source.site_actor.server.last_observed_at.timestamp | numeric | | 1578505330 action_result.data.*._source.site_actor.server.name | string | | Super Club Penguin action_result.data.*._source.site_actor.server.native_id | string | | 276516314170916864 action_result.data.*._source.site_actor.server.region | string | | us_central action_result.data.*._source.site_actor.server.server_owner.id | string | | 272944155205042177 action_result.data.*._source.site_actor.server.server_owner.username | string | | Mate#5386 action_result.data.*._source.site_actor.server.site.fpid | string | | 6-JEBtwCWXmpUgPo1ZtoRQ action_result.data.*._source.site_actor.server.site.is_deleted | boolean | | True False action_result.data.*._source.site_actor.server.site.site_type | string | | Site Type action_result.data.*._source.site_actor.server.site.source_uri | string | | urn:fp:resource:qualified:site:27891 action_result.data.*._source.site_actor.server.site.title | string | | Site Title action_result.data.*._source.site_actor.server.source_uri | string | | urn:fp:resource:qualified:conversation:chat:discord:server:276516314170916864 action_result.data.*._source.site_actor.server.title | string | | Server Title action_result.data.*._source.site_actor.server.verification_level | string | | 4 action_result.data.*._source.site_actor.site_actor._header.collected_fpid | string | | RK6nDJJbRAmmInesId8lqA action_result.data.*._source.site_actor.site_actor._header.observed_at | numeric | | 1559420203 action_result.data.*._source.site_actor.site_actor.avatar_uri.href | string | | https://testdomainlink.com/media/user/1234.jpg action_result.data.*._source.site_actor.site_actor.body.enrichments.language | string | | en action_result.data.*._source.site_actor.site_actor.body.raw | string | | This is a test body action_result.data.*._source.site_actor.site_actor.body.text/html+sanitized | string | | This is a test body text/html+sanitized action_result.data.*._source.site_actor.site_actor.body.text/plain | string | | This is a test body text/plain action_result.data.*._source.site_actor.site_actor.created_at.date-time | string | | 2016-12-01T00:00:00+00:00 action_result.data.*._source.site_actor.site_actor.created_at.raw | string | | December 2016 action_result.data.*._source.site_actor.site_actor.created_at.timestamp | numeric | | 1480550400 action_result.data.*._source.site_actor.site_actor.fpid | string | | eE9alofZWZuS0Ef5HiirIA action_result.data.*._source.site_actor.site_actor.is_donor | boolean | | True False action_result.data.*._source.site_actor.site_actor.is_investor | boolean | | True False action_result.data.*._source.site_actor.site_actor.is_premium | boolean | | True False action_result.data.*._source.site_actor.site_actor.is_private | boolean | | True False action_result.data.*._source.site_actor.site_actor.is_pro | boolean | | True False action_result.data.*._source.site_actor.site_actor.is_verified | boolean | | True False action_result.data.*._source.site_actor.site_actor.names.handle | string | | dankemp action_result.data.*._source.site_actor.site_actor.native_id | string | | dankemp action_result.data.*._source.site_actor.site_actor.number_following | numeric | | 2304 action_result.data.*._source.site_actor.site_actor.number_of_followers | numeric | | 1703 action_result.data.*._source.site_actor.site_actor.number_of_messages | numeric | | 9610 action_result.data.*._source.site_actor.site_actor.site.created_at.date-time | string | | 2018-05-03T13:35:05 action_result.data.*._source.site_actor.site_actor.site.description.raw | string | | This is an example description action_result.data.*._source.site_actor.site_actor.site.fpid | string | | _tI5K2qyXYeqD3rUhkxMzg action_result.data.*._source.site_actor.site_actor.site.site_type | string | | Social Network action_result.data.*._source.site_actor.site_actor.site.source_uri | string | | testdomainlink.com action_result.data.*._source.site_actor.site_actor.site.tags.*.name | string | | Tag Name action_result.data.*._source.site_actor.site_actor.site.tags.*.parent_tag.name | string | | Parent Tag Name action_result.data.*._source.site_actor.site_actor.site.title | string | | Site Title action_result.data.*._source.site_actor.site_actor.site.updated_at.date-time | string | | 2019-03-27T15:59:59 action_result.data.*._source.site_actor.site_actor.site_actor._header.collected_fpid | string | | RK6nDJJbRAmmInesId8lqA action_result.data.*._source.site_actor.site_actor.site_actor._header.observed_at | numeric | | 1559420203.347195 action_result.data.*._source.site_actor.site_actor.site_actor.avatar_uri.href | string | | https://testdomainlink.com/media/user/1234.jpg action_result.data.*._source.site_actor.site_actor.site_actor.body.enrichments.language | string | | en action_result.data.*._source.site_actor.site_actor.site_actor.body.raw | string | | This is a test body action_result.data.*._source.site_actor.site_actor.site_actor.body.text/html+sanitized | string | | This is a test body text/html+sanitized action_result.data.*._source.site_actor.site_actor.site_actor.body.text/plain | string | | This is a test body text/plain action_result.data.*._source.site_actor.site_actor.site_actor.created_at.date-time | string | | 2016-12-01T00:00:00+00:00 action_result.data.*._source.site_actor.site_actor.site_actor.created_at.raw | string | | December 2016 action_result.data.*._source.site_actor.site_actor.site_actor.created_at.timestamp | numeric | | 1480550400 action_result.data.*._source.site_actor.site_actor.site_actor.fpid | string | | eE9alofZWZuS0Ef5HiirIA action_result.data.*._source.site_actor.site_actor.site_actor.is_donor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.is_investor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.is_premium | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.is_private | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.is_pro | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.is_verified | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.names.handle | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.native_id | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.number_following | numeric | | 2304 action_result.data.*._source.site_actor.site_actor.site_actor.number_of_followers | numeric | | 1703 action_result.data.*._source.site_actor.site_actor.site_actor.number_of_messages | numeric | | 9610 action_result.data.*._source.site_actor.site_actor.site_actor.site.created_at.date-time | string | | 2018-05-03T13:35:05 action_result.data.*._source.site_actor.site_actor.site_actor.site.description.raw | string | | This is an example description. action_result.data.*._source.site_actor.site_actor.site_actor.site.fpid | string | | _tI5K2qyXYeqD3rUhkxMzg action_result.data.*._source.site_actor.site_actor.site_actor.site.site_type | string | | Social Network action_result.data.*._source.site_actor.site_actor.site_actor.site.source_uri | string | | testdomainlink.com action_result.data.*._source.site_actor.site_actor.site_actor.site.tags.*.name | string | | Tag Name action_result.data.*._source.site_actor.site_actor.site_actor.site.tags.*.parent_tag.name | string | | Parent Tag Name action_result.data.*._source.site_actor.site_actor.site_actor.site.title | string | | Site Title action_result.data.*._source.site_actor.site_actor.site_actor.site.updated_at.date-time | string | | 2019-03-27T15:59:59 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor._header.collected_fpid | string | | RK6nDJJbRAmmInesId8lqA action_result.data.*._source.site_actor.site_actor.site_actor.site_actor._header.observed_at | numeric | | 1559420203 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.avatar_uri.href | string | | https://testdomainlink.com/media/user/1234.jpg action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.body.enrichments.language | string | | en action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.body.raw | string | | This is a test body action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.body.text/html+sanitized | string | | This is a test body text/html+sanitized action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.body.text/plain | string | | This is a test body text/plain action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.created_at.date-time | string | | 2016-12-01T00:00:00+00:00 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.created_at.raw | string | | December 2016 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.created_at.timestamp | numeric | | 1480550400 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.fpid | string | | eE9alofZWZuS0Ef5HiirIA action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_donor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_investor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_premium | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_private | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_pro | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.is_verified | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.names.handle | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.native_id | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.number_following | numeric | | 2304 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.number_of_followers | numeric | | 1703 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.number_of_messages | numeric | | 9610 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.created_at.date-time | string | | 2018-05-03T13:35:05 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.description.raw | string | | This is an example description action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.fpid | string | | _tI5K2qyXYeqD3rUhkxMzg action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.site_type | string | | Social Network action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.source_uri | string | | testdomainlink.com action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.tags.*.name | string | | Tag Name action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.tags.*.parent_tag.name | string | | Parent Tag Name action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.title | string | | Site Title action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site.updated_at.date-time | string | | 2019-03-27T15:59:59 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor._header.collected_fpid | string | | RK6nDJJbRAmmInesId8lqA action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor._header.observed_at | numeric | | 1559420203 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.avatar_uri.href | string | | https://testdomainlink.com/media/user/1234.jpg action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.body.enrichments.language | string | | en action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.body.raw | string | | This is a test body action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.body.text/html+sanitized | string | | This is a test body text/html+sanitized action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.body.text/plain | string | | This is a test body text/plain action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.created_at.date-time | string | | 2016-12-01T00:00:00+00:00 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.created_at.raw | string | | December 2016 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.created_at.timestamp | numeric | | 1480550400 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.fpid | string | | eE9alofZWZuS0Ef5HiirIA action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_donor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_investor | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_premium | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_private | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_pro | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.is_verified | boolean | | True False action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.names.handle | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.native_id | string | | dankemp action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.number_following | numeric | | 2304 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.number_of_followers | numeric | | 1703 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.number_of_messages | numeric | | 9610 action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.site_actor.source_uri | string | | https://testdomainlink.com/dankemp action_result.data.*._source.site_actor.site_actor.site_actor.site_actor.source_uri | string | | https://testdomainlink.com/dankemp action_result.data.*._source.site_actor.site_actor.site_actor.source_uri | string | | https://testdomainlink.com/dankemp action_result.data.*._source.site_actor.site_actor.source_uri | string | | https://testdomainlink.com/dankemp action_result.data.*._source.site_actor.source_uri | string | url | urn:fp:resource:qualified:conversation:chat:telegram:site_actor:1061080441 action_result.data.*._source.site_actor.title | string | | Test Title action_result.data.*._source.site_actor.type | string | | user action_result.data.*._source.site_actor.url | string | fp attribute value url | https://testdomainlink.com/user/UniqueUsername642 action_result.data.*._source.site_actor.username | string | url user name | ABOALZBER2 action_result.data.*._source.site_actor_count.count | numeric | | 6219 action_result.data.*._source.site_actor_count.first_resource.fpid | string | | KHXTQDjDWe6qk2t7cZGYbw action_result.data.*._source.site_actor_count.first_resource.names.handle | string | | Emu action_result.data.*._source.site_actor_count.first_resource.native_id | string | | 633735-emu action_result.data.*._source.site_actor_count.last_resource.fpid | string | | 5lauqgEyXjmm-EZbwSOUvQ action_result.data.*._source.site_actor_count.last_resource.names.handle | string | | mantq action_result.data.*._source.site_actor_count.last_resource.native_id | string | | 1195854-mantq action_result.data.*._source.size.number_of_bytes | numeric | | 31380 action_result.data.*._source.size.raw | string | | 31.38 KB action_result.data.*._source.source | string | url | Analyst Research action_result.data.*._source.source_type | string | | Analyst Research action_result.data.*._source.source_uri | string | url | https://testdomainlink.com/test action_result.data.*._source.syntax | string | | text action_result.data.*._source.thread.native_id | string | | 209360561 action_result.data.*._source.thread.site.behavior | string | | replace action_result.data.*._source.thread.site.href | string | | urn:fp:type:resource.qualified.site:Ra2dBSXnXjKqoLS7wJPWgw action_result.data.*._source.thread.site.target | string | | $.site action_result.data.*._source.thread.type | string | | thread action_result.data.*._source.thread_count.count | numeric | | 2506 action_result.data.*._source.times_seen | numeric | | 1 action_result.data.*._source.timestamp | string | | 1549413013 action_result.data.*._source.title | string | | CVE-2019-10802 action_result.data.*._source.to_ids | boolean | | True False action_result.data.*._source.top_domains.*.count | numeric | | 182662 action_result.data.*._source.top_domains.*.value | string | | testdomainlink.com action_result.data.*._source.top_domains.count | numeric | | 262 action_result.data.*._source.top_domains.value | string | | testdomainlink.com action_result.data.*._source.top_passwords.*.count | numeric | | 1038 action_result.data.*._source.top_passwords.*.value | string | sha1 email md5 | e10adc3949ba59abbe56e057f20f883e action_result.data.*._source.total_records | numeric | | 671072 action_result.data.*._source.track1 | string | | 4147202342565650^LAST/NAME ^2102201148941100000000751000000 action_result.data.*._source.track2 | string | | 4147202342565650=210220114894751 action_result.data.*._source.track_information | string | | TR2 action_result.data.*._source.type | string | | md5 action_result.data.*._source.unique_records | numeric | | 671066 action_result.data.*._source.unique_visits | numeric | | 0 action_result.data.*._source.updated_at.date-time | string | | 2016-11-08T08:00:00+00:00 action_result.data.*._source.updated_at.raw | string | | 2016-11-08T08:00:00 action_result.data.*._source.updated_at.timestamp | numeric | | 1478592000 action_result.data.*._source.url | string | fp attribute value url | https://www.testdomainlink.com/test action_result.data.*._source.uuid | string | | 5c5a2a95-de34-4b51-8f23-124a0a640c05 action_result.data.*._source.value.attachment | string | sha256 | 72832db9b951663b8f322778440b8720ea95cde0349a1d26477edd95b3915479 action_result.data.*._source.value.comment | string | file name |
action_result.data.*._source.value.domain | string | fp attribute value domain | adsfinder.xyz action_result.data.*._source.value.email-src | string | fp attribute value email | [email protected] action_result.data.*._source.value.ip-dst | string | fp attribute value ip | 210.122.7.129 action_result.data.*._source.value.ip-dst|port | string | fp attribute value | 5.79.68.110|80 action_result.data.*._source.value.link | string | url | https://www.testdomainlink.com/test.html action_result.data.*._source.value.md5 | string | fp attribute value md5 | 120862db74f9e202c91466fe93efc50a action_result.data.*._source.value.other | string | | id:wc4XnQq4X-GrNjTP9gFh4g action_result.data.*._source.value.sha1 | string | fp attribute value sha1 | 1489f923c4dca729178b3e3233458550d8dddf29 action_result.data.*._source.value.sha256 | string | fp attribute value sha256 | 32acb0ab5c16e624764f282f84f160984d436c777ad1a41ee8080b50db98e199 action_result.data.*._source.value.url | string | fp attribute value url | http://ww1.testdomainlink.com/?subid1=1234 action_result.data.*._source.value.x509-fingerprint-sha1 | string | fp attribute value sha1 | 6565a33dd73b11a30a072537c9424a5b767750e1 action_result.data.*._type | string | | _doc action_result.status | string | | success failed action_result.message | string | | Total results: 478 action_result.summary.total_results | numeric | | 478 summary.total_objects | numeric | | 1 summary.total_objects_successful | numeric | | 1

Fetch a list of IoCs that occur in the context of an event from the Flashpoint Platform

Type: investigate
Read only: True

meta:
author = "Flashpoint"
analyst = "c.testn"
fp_report = "APT15_MirageFox"
source = "hxxps://www[.]intezer[.]com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
md5 = "afe24283fd933bac9d0c933e0c08ba02"
sha256 = "28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a"

strings:
	$MirageFox = { 4D 69 72 61 67 65 46 6F 78 5F 53 65 72 76 65 72 2E 64 61 74 00 64 6C 6C 5F 77 57 69 6E 4D 61 69 }
		/\*
		.rdata:100129B0 word_100129B0   dw 0                    ; DATA XREF: .rdata:100129A4o
		.rdata:100129B2 aMiragefoxServe db 'MirageFox_Server.dat',0
		.rdata:100129B2                                         ; DATA XREF: .rdata:1001298Co
		.rdata:100129C7 aDllWwinmain    db 'dll_wWinMain',0     ; DATA XREF: .rdata:off_100129ACo
		.rdata:100129D4                 align 800h
		.rdata:100129D4 _rdata          ends
		\*/

	$SvcSend = { 5C 63 6D 64 2E 65 78 65 00 00 00 00 57 69 6E 53 74 61 30 5C 44 65 66 61 75 6C 74 00 25 73 6F 73 33 32 5F 5F 25 64 2E 69 6E 69 00 00 25 73 75 73 72 33 32 5F 5F 25 64 2E 69 6E 69 00 25 73 75 73 72 65 72 5F 5F 25 64 2E 69 6E 69 00 25 73 20 25 73 20 2D 20 25 73 0A 00 44 3A 5C 53 76 63 53 65 6E 64 2E 6C 6F 67 }
		/\*
		.data:100134CC ; CHAR aCmdExe[]
		.data:100134CC aCmdExe         db '\\cmd.exe',0         ; DATA XREF: sub_100041A2+1B8o
		.data:100134D5                 align 4
		.data:100134D8 aWinsta0Default db 'WinSta0\\Default',0  ; DATA XREF: sub_100041A2+188o
		.data:100134E8 aSos32DIni      db '%sos32__%d.ini',0   ; DATA XREF: sub_100041A2+5Ao
		.data:100134F7                 align 4
		.data:100134F8 aSusr32DIni     db '%susr32__%d.ini',0  ; DATA XREF: sub_100041A2+3Fo
		.data:100134F8                                         ; sub_100045D3+24o
		.data:10013508 aSusrerDIni     db '%susrer__%d.ini',0  ; DATA XREF: sub_100041A2+21o
		.data:10013518 aSSS            db '%s %s - %s',0Ah,0   ; DATA XREF: sub_10004766+57o
		.data:10013524 aDSvcsendLog    db 'D:\\SvcSend.log',0   ; DATA XREF: sub_10004766+27o
		.data:10013533                 align 4
		.data:10013534 aA              db 'a+',0               ; DATA XREF: sub_10004766+22o
		.data:10013537                 align 4
		.data:10013538 unk_10013538    db  20h                 ; DATA XREF: sub_10004B19+2o
		\*/

condition:
	(uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and $MirageFox and $SvcSend) or
	(uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and $MirageFox) // Some variants do not drop SvcSend.log. Comment out this last condition to detect only variants that drop SvcSend.log

} action_result.status | string | | success failed action_result.message | string | | Total iocs: 1000 action_result.summary.total_iocs | numeric | | 1000 summary.total_objects | numeric | | 1 summary.total_objects_successful | numeric | | 1

Fetch an IoC value of a specific attribute type from the list of available IoCs on the Flashpoint Platform

Type: investigate
Read only: True

meta:
author = "Flashpoint"
analyst = "c.testn"
fp_report = "APT15_MirageFox"
source = "hxxps://www[.]intezer[.]com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/"
md5 = "afe24283fd933bac9d0c933e0c08ba02"
sha256 = "28d6a9a709b9ead84aece250889a1687c07e19f6993325ba5295410a478da30a"

strings:
	$MirageFox = { 4D 69 72 61 67 65 46 6F 78 5F 53 65 72 76 65 72 2E 64 61 74 00 64 6C 6C 5F 77 57 69 6E 4D 61 69 }
		/\*
		.rdata:100129B0 word_100129B0   dw 0                    ; DATA XREF: .rdata:100129A4o
		.rdata:100129B2 aMiragefoxServe db 'MirageFox_Server.dat',0
		.rdata:100129B2                                         ; DATA XREF: .rdata:1001298Co
		.rdata:100129C7 aDllWwinmain    db 'dll_wWinMain',0     ; DATA XREF: .rdata:off_100129ACo
		.rdata:100129D4                 align 800h
		.rdata:100129D4 _rdata          ends
		\*/

	$SvcSend = { 5C 63 6D 64 2E 65 78 65 00 00 00 00 57 69 6E 53 74 61 30 5C 44 65 66 61 75 6C 74 00 25 73 6F 73 33 32 5F 5F 25 64 2E 69 6E 69 00 00 25 73 75 73 72 33 32 5F 5F 25 64 2E 69 6E 69 00 25 73 75 73 72 65 72 5F 5F 25 64 2E 69 6E 69 00 25 73 20 25 73 20 2D 20 25 73 0A 00 44 3A 5C 53 76 63 53 65 6E 64 2E 6C 6F 67 }
		/\*
		.data:100134CC ; CHAR aCmdExe[]
		.data:100134CC aCmdExe         db '\\cmd.exe',0         ; DATA XREF: sub_100041A2+1B8o
		.data:100134D5                 align 4
		.data:100134D8 aWinsta0Default db 'WinSta0\\Default',0  ; DATA XREF: sub_100041A2+188o
		.data:100134E8 aSos32DIni      db '%sos32__%d.ini',0   ; DATA XREF: sub_100041A2+5Ao
		.data:100134F7                 align 4
		.data:100134F8 aSusr32DIni     db '%susr32__%d.ini',0  ; DATA XREF: sub_100041A2+3Fo
		.data:100134F8                                         ; sub_100045D3+24o
		.data:10013508 aSusrerDIni     db '%susrer__%d.ini',0  ; DATA XREF: sub_100041A2+21o
		.data:10013518 aSSS            db '%s %s - %s',0Ah,0   ; DATA XREF: sub_10004766+57o
		.data:10013524 aDSvcsendLog    db 'D:\\SvcSend.log',0   ; DATA XREF: sub_10004766+27o
		.data:10013533                 align 4
		.data:10013534 aA              db 'a+',0               ; DATA XREF: sub_10004766+22o
		.data:10013537                 align 4
		.data:10013538 unk_10013538    db  20h                 ; DATA XREF: sub_10004B19+2o
		\*/

condition:
	(uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and $MirageFox and $SvcSend) or
	(uint16(0) == 0x5A4D and uint8(uint32(0x3c)+23) == 0x21 and $MirageFox) // Some variants do not drop SvcSend.log. Comment out this last condition to detect only variants that drop SvcSend.log

} action_result.status | string | | success failed action_result.message | string | | Total iocs: 1 action_result.summary.total_iocs | numeric | | 1 summary.total_objects | numeric | | 1 summary.total_objects_successful | numeric | | 1