Area 1 Security
Version: 2.0.0
Area 1 Security offers Application Programming Interfaces (APIs) to expose our phishing campaign rulesets. These APIs both aid research and provide a set of indicators to block using network security edge devices.
Connect Area 1 Security with LogicHub
- Navigate to Automations > Integrations.
- Search for Area 1 Security.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- Username: Username to access Area 1 Security APIs.
- Password: Password to access Area 1 Security APIs.
- After you've entered all the details, click Connect.
Actions for Area 1 Security
List Actors
This service returns a list of Actors.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of result:
{
"error":null,
"has_error":false,
"result":"ALL_ACTOR"
}
Return Indicators (Rate Limit: 10/hour)
This service returns malicious indicators (file hashes, URLs, domains, and IP address) that we recommend you block at your network edge using proxy devices and firewalls.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Since | Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | |
| End | Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | |
| Actor | Jinja-templated text containing the value of actor. Example: {{actor}} * Killchain (Optional): Jinja-Templated text containing the CSVs of the killchain. Example: {{killchain_1}},3 | |
| Killchain | Jinja-templated text containing the CSVs of the killchain. Example: {{killchain_1}},3 | |
| Cat | Jinja-templated text containing the CSVs of the cat. Example: {{cat_1}},targeted | |
| Type | Jinja-templated text containing the CSVs of the type. Example: {{type_1}},domain |
Output
A JSON object containing indicator details:
{
"has_error":false,
"error":null,
"threat_name": "Google Credential Harvester",
"item_type": "url",
"description": "https://api.area1.com/nirvana/google-credential-harvesting.html",
"item_name": "www.example.com/a-bad-url/",
"first_detected": 1449164991,
"threat_categories": [
{
"threat_type": [
"Credential Harvester",
"Malicious Web Server"
],
"category": [
"Universal"
],
"killchain": [
"3"
],
"actor": [
"CHN1"
]
}
]
}
Search Indicator (Rate Limit: 4/minute)
This service can be queried with a basic indicator (file hash (MD5/SHA-1/SHA-256), URL, domain, IP Address, or email address) and returns information about the indicator.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Indicator | Jinja-templated text containing the value of indicator of interest. Example: {{indicator}} | Required |
| Historic | Select value of Historic (Default is False). True/False | Optional |
Output
A JSON object containing indicator details:
{
"has_error":false,
"error":null,
"indicator": "example",
"first_seen": 1433810886000,
"last_seen": 1478200022000,
"Hash_ImpHash": "eample",
"Hash_authentihash": "example",
"type": "Hash_SHA1",
"Hash_ssdeep": "example",
"disposition": "MALICIOUS",
"tlp": "white",
"Hash_MD5": "example_md5",
"tag_histories": [
{
"intervals": [
{
"start": 1337347427000,
"end": "current"
}
],
"category": "Actor",
"value": "abc"
},
{
"intervals": [
{
"start": 1337347427000,
"end": "current"
}
],
"category": "ThreatType",
"value": "Dropper"
}
],
"family": "file",
"Hash_SHA256": "example"
}
List Alerts (Rate Limit: 5/hour)
This service returns information of each alert that is generated through the Area 1 Security email product.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Disposition | Jinja-templated text containing the CSVs of disposition (Default is malicious). Example: {{disposition}},spam | Optional |
| Since | Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional |
| End | Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional |
Output
A JSON object containing List of Alerts:
{
"has_error":false,
"error":null,
"source": "area1security",
"time": 1524570920,
"event": {
"final_disposition": "MALICIOUS",
"attachments": [
{
"sha1": "example",
"sha256": "example",
"content_type_provided": "image/jpeg",
"content_type_computed": "image/jpeg",
"name": "image003.jpg",
"ssdeep": "example",
"md5": "example"
}
],
"smtp_helo_server_name": "mail.example.net",
"envelope_to": [
"[email protected]"
],
"subject": "Potential Partnership",
"smtp_helo_server_ip_as_name": "LIQUIDWEB - Liquid Web, L.L.C, US",
"alert_reasons": [
"Malicious previous hop domain server 'mail.example[dot]net'",
"no really, it's a very mailicious domain 'example[dot]net'"
],
"encrypted_feature_count": null,
"message_id": "<[email protected]>",
"replyto_name": null,
"from_name": "Christine",
"smtp_helo_server_ip": "192.168.1.184",
"smtp_helo_server_ip_geo": "US/-/-",
"smtp_helo_server_ip_as_number": "3232235960",
"envelope_from": "[email protected]",
"alert_id": "40VVylabcbz7pJj-2018-04-24T04:41:19",
"replyto": "[email protected]",
"from": "CEO Christine <[email protected]>",
"to": [
"[email protected]"
],
"ts": "2018-04-24T04:41:19Z"
}
}
Email Details by Alert ID
This service returns the content of an email given an alert_id from the detection message sent from Area 1.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Alert ID | Jinja-templated text containing the value of the Alert ID. Example: {{alert_id}} | Required |
Output
A JSON object containing message content and fileId of message details:
{
"has_error":false,
"error":null,
"email": "body",
"fileId": "4153535"
}
Search Detected Emails
This service returns information for each email that matches the search parameter(s). Only emails that have a detection (final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC or MALICIOUS) will be searched.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Query | Jinja-templated text containing the value of the query. Example: {{query}} | Required |
| Days Back | Jinja-templated text containing the value of the days back (default is 7, maximum is 365). Example: 108 | Optional |
| Limit | Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50 | Optional |
Output of Action:
A JSON object containing detected email list:
{
"has_error":false,
"error":null,
"cc": null,
"tracking_value_sent": "",
"final_disposition": "MALICIOUS",
"x_originating_ip": null,
"to_name": null,
"subject": "listen, I highly recommend u to read that email, just to ensure not a thing will take place ",
"findings": [
{
"reason": "IP is a source of spam/uce : Smtp-Helo-Server-Ip='127.0.0[dot]186'",
"score": null,
"detection": "SPAM",
"field": "smtp_helo_server_ip",
"attachment": null,
"portion": "SMTP",
"name": "blocklist",
"action": "PROMOTE",
"detail": null,
"diagnostic": "",
"value": "127.0.0.186",
"version": null
}
],
"sent_date": "2019-11-21T00:22:01",
"detectionReasons": [
"IP is a source of spam/uce : Smtp-Helo-Server-Ip=<b>127.0.0[dot]186</b>"
],
"client_uuid": "abcdef12-3456-7890-abcd-ef1234567896",
"from_name": null,
"smtp_helo_server_ip": "127.0.0.186",
"smtp_previous_hop_ip": "127.0.0.186",
"envelope_from": "[email protected]",
"replyto": "[email protected]",
"from": "[email protected]",
"to": [
"[email protected]"
],
"client_name": "area1",
"postfix_ident": "47JJcT1w6GztQV7",
"ts": "2019-11-20T23:22:01"
}
Search All Emails
This service returns information for each email that matches the search parameter(s). All email can be searched, whether it registered a detection or not.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Subject | Jinja-templated text containing the value of the Subject. Example: {{subject}} | Optional |
| Alert ID | Jinja-templated text containing the value of the Alert ID(only present for emails with a final_disposition of SPOOF, SPAM, SUSPICIOUS, MALICIOUS-BEC, or MALICIOUS). Example: {{alert_id}} | Optional |
| Message ID | Jinja-templated text containing the value of the full Message ID. Example: {{message_id}} | Optional |
| Recipient | Jinja-templated text containing the value of the Recipient. Example: {{recipient}} | Optional |
| Sender | Jinja-templated text containing the value of the Sender. Example: {{sender}} | Optional |
| Since | Jinja-templated text containing the value for start time, the ISO 8601 date and time (Default is Batch start time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional |
| End | Jinja-templated text containing the value for end time, the ISO 8601 date and time (Default is Batch end time). Example: to specify July 16, 2017, use the form YYYY-MM-DDTHH:mm:ss, or 2017-07-16T00:00:00. Can also be timezone specific YYYY-MM-DDTHH:mm:ss-HH:mm, or 2017-07-16T00:00:00-4:00. | Optional |
| Limit | Jinja-templated text containing the value of the number of Emails to fetch (Default is 100, Maximum is 1000). Example: 50 | Optional |
Output
A JSON object containing email details:
{
"has_error":false,
"error":null,
"postfix_ident_outbound": "47Jjdp3WRsz11M1D",
"final_disposition": "NONE",
"envelope_to": [
"[email protected]"
],
"subject": "[EXTERNAL] RE: Lost and found",
"from": "[email protected]",
"message_id": "<[email protected]>",
"postfix_ident": "47Jjcz1H88z11M4F",
"client_name": "mr. client",
"ts": "2019-11-21T15:09:33"
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystem
Updated about 1 year ago