Area 1 Security

Version: 2.0.0

Area 1 Security offers Application Programming Interfaces (APIs) to expose our phishing campaign rulesets. These APIs both aid research and provide a set of indicators to block using network security edge devices.

Connect Area 1 Security with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Area 1 Security.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • Username: Username to access Area 1 Security APIs.
    • Password: Password to access Area 1 Security APIs.
  4. After you've entered all the details, click Connect.

Actions for Area 1 Security

List Actors

This service returns a list of Actors.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

{
	"error":null,
	"has_error":false,
	"result":"ALL_ACTOR"
}

Return Indicators (Rate Limit: 10/hour)

This service returns malicious indicators (file hashes, URLs, domains, and IP address) that we recommend you block at your network edge using proxy devices and firewalls.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
SinceJinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
EndJinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
ActorJinja-templated text containing the value of actor. Example: {{actor}}
* Killchain (Optional): Jinja-Templated text containing the CSVs of the killchain.
Example: {{killchain_1}},3
KillchainJinja-templated text containing the CSVs of the killchain.
Example: {{killchain_1}},3
CatJinja-templated text containing the CSVs of the cat.
Example: {{cat_1}},targeted
TypeJinja-templated text containing the CSVs of the type.
Example: {{type_1}},domain

Output

A JSON object containing indicator details:

{
  "has_error":false,
  "error":null,
	"threat_name": "Google Credential Harvester",
	"item_type": "url",
	"description": "https://api.area1.com/nirvana/google-credential-harvesting.html",
	"item_name": "www.example.com/a-bad-url/",
	"first_detected": 1449164991,
	"threat_categories": [
		{
			"threat_type": [
				"Credential Harvester",
				"Malicious Web Server"
			],
			"category": [
				"Universal"
			],
			"killchain": [
				"3"
			],
			"actor": [
				"CHN1"
			]
		}
	]
}

Search Indicator (Rate Limit: 4/minute)

This service can be queried with a basic indicator (file hash (MD5/SHA-1/SHA-256), URL, domain, IP Address, or email address) and returns information about the indicator.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
IndicatorJinja-templated text containing the value of indicator of interest. Example: {{indicator}}Required
HistoricSelect value of Historic (Default is False). True/FalseOptional

Output

A JSON object containing indicator details:

{
  "has_error":false,
  "error":null,
  "indicator": "example",
  "first_seen": 1433810886000,
  "last_seen": 1478200022000,
  "Hash_ImpHash": "eample",
  "Hash_authentihash": "example",
  "type": "Hash_SHA1",
  "Hash_ssdeep": "example",
  "disposition": "MALICIOUS",
  "tlp": "white",
  "Hash_MD5": "example_md5",
  "tag_histories": [
    {
      "intervals": [
        {
          "start": 1337347427000,
          "end": "current"
        }
      ],
      "category": "Actor",
      "value": "abc"
    },
    {
      "intervals": [
        {
          "start": 1337347427000,
          "end": "current"
        }
      ],
      "category": "ThreatType",
      "value": "Dropper"
    }
  ],
  "family": "file",
  "Hash_SHA256": "example"
}

List Alerts (Rate Limit: 5/hour)

This service returns information of each alert that is generated through the Area 1 Security email product.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
DispositionJinja-templated text containing the CSVs of disposition (Default is malicious).
Example: {{disposition}},spam
Optional
SinceJinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
Optional
EndJinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
Optional

Output

A JSON object containing List of Alerts:

{
  "has_error":false,
  "error":null,
  "source": "area1security",
  "time": 1524570920,
  "event": {
    "final_disposition": "MALICIOUS",
    "attachments": [
      {
        "sha1": "example",
        "sha256": "example",
        "content_type_provided": "image/jpeg",
        "content_type_computed": "image/jpeg",
        "name": "image003.jpg",
        "ssdeep": "example",
        "md5": "example"
      }
    ],
    "smtp_helo_server_name": "mail.example.net",
    "envelope_to": [
      "[email protected]"
    ],
    "subject": "Potential Partnership",
    "smtp_helo_server_ip_as_name": "LIQUIDWEB - Liquid Web, L.L.C, US",
    "alert_reasons": [
      "Malicious previous hop domain server 'mail.example[dot]net'",
      "no really, it's a very mailicious domain 'example[dot]net'"
    ],
    "encrypted_feature_count": null,
    "message_id": "<[email protected]>",
    "replyto_name": null,
    "from_name": "Christine",
    "smtp_helo_server_ip": "192.168.1.184",
    "smtp_helo_server_ip_geo": "US/-/-",
    "smtp_helo_server_ip_as_number": "3232235960",
    "envelope_from": "[email protected]",
    "alert_id": "40VVylabcbz7pJj-2018-04-24T04:41:19",
    "replyto": "[email protected]",
    "from": "CEO Christine <[email protected]>",
    "to": [
      "[email protected]"
    ],
    "ts": "2018-04-24T04:41:19Z"
  }
}

Email Details by Alert ID

This service returns the content of an email given an alert_id from the detection message sent from Area 1.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Alert IDJinja-templated text containing the value of the Alert ID. Example: {{alert_id}}Required

Output

A JSON object containing message content and fileId of message details:

{
  "has_error":false,
  "error":null,
  "email": "body",
  "fileId": "4153535"
}

Search Detected Emails

This service returns information for each email that matches the search parameter(s). Only emails that have a detection (final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC or MALICIOUS) will be searched.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
QueryJinja-templated text containing the value of the query.
Example: {{query}}
Required
Days BackJinja-templated text containing the value of the days back (default is 7, maximum is 365).
Example: 108
Optional
LimitJinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000).
Example: 50
Optional

Output of Action:
A JSON object containing detected email list:

{
  "has_error":false,
  "error":null,
  "cc": null,
  "tracking_value_sent": "",
  "final_disposition": "MALICIOUS",
  "x_originating_ip": null,
  "to_name": null,
  "subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place ",
  "findings": [
    {
      "reason": "IP is a source of spam/uce : Smtp-Helo-Server-Ip='127.0.0[dot]186'",
      "score": null,
      "detection": "SPAM",
      "field": "smtp_helo_server_ip",
      "attachment": null,
      "portion": "SMTP",
      "name": "blocklist",
      "action": "PROMOTE",
      "detail": null,
      "diagnostic": "",
      "value": "127.0.0.186",
      "version": null
    }
  ],
  "sent_date": "2019-11-21T00:22:01",
  "detectionReasons": [
    "IP is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>"
  ],
  "client_uuid": "abcdef12-3456-7890-abcd-ef1234567896",
  "from_name": null,
  "smtp_helo_server_ip": "127.0.0.186",
  "smtp_previous_hop_ip": "127.0.0.186",
  "envelope_from": "[email protected]",
  "replyto": "[email protected]",
  "from": "[email protected]",
  "to": [
    "[email protected]"
  ],
  "client_name": "area1",
  "postfix_ident": "47JJcT1w6GztQV7",
  "ts": "2019-11-20T23:22:01"
}

Search All Emails

This service returns information for each email that matches the search parameter(s). All email can be searched, whether it registered a detection or not.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
SubjectJinja-templated text containing the value of the Subject.
Example: {{subject}}
Optional
Alert IDJinja-templated text containing the value of the Alert ID(only present for emails with a final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC, or MALICIOUS).
Example: {{alert_id}}
Optional
Message IDJinja-templated text containing the value of the full Message ID.
Example: {{message_id}}
Optional
RecipientJinja-templated text containing the value of the Recipient.
Example: {{recipient}}
Optional
SenderJinja-templated text containing the value of the Sender.
Example: {{sender}}
Optional
SinceJinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
Optional
EndJinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time).
Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00.
Optional
LimitJinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000).
Example: 50
Optional

Output

A JSON object containing email details:

{
  "has_error":false,
  "error":null,
  "postfix_ident_outbound": "47Jjdp3WRsz11M1D",
  "final_disposition": "NONE",
  "envelope_to": [
    "[email protected]"
  ],
  "subject": "[EXTERNAL] RE: Lost and found",
  "from": "[email protected]",
  "message_id": "<[email protected]>",
  "postfix_ident": "47Jjcz1H88z11M4F",
  "client_name": "mr. client",
  "ts": "2019-11-21T15:09:33"
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem