Flashpoint

Version: 2.0.0

Flashpoint is the globally trusted leader in risk intelligence for organizations that demand the fastest, most comprehensive coverage of threatening activity on the internet

Connect Flashpoint with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Flashpoint.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL to your Flashpoint instance. Example: https://fp.XXXX/api/v4.
    • API Key/Token: API Token to Authenticate Flashpoint.
  4. After you've entered all the details, click Connect.

Actions for Flashpoint

Get Attribute

This action is used to gather an attribute from the indicators API.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Attribute IDJinja-templated text containing the UUID or FPID that identifies a particular attribute.Required
FormatJinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP formatOptional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS
1450

Get Attributes

Method to gather attributes from the indicators API. This method is used to retrieve a list of indicators of compromise (IOCs) that occur in the context of an event.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Explode ResultsExplode each result in a separate row. (Default is Yes)Optional
LimitNumber of results to fetch. (Default is 1000)Optional
FormatJinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP formatOptional
Start DateJinja-templated column name from the parent table that contains start date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
End DateJinja-templated column name from the parent table that contains end date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Updated SinceJinja-templated text containing the values created after the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Updated TillJinja-templated text containing the values updated or created until the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Search TagJinja-templated text containing the Search for a keyword inside the Tags. Can have multiple keywords in a list, such as malware, ransomware.Optional
Search FieldJinja-templated text containing the Search specific value types. This should be a string of the format a=something, b>10 for each comparison.Optional
Attack IDsJinja-templated text containing a comma-delimited list of MITRE ATTACK ids to filter events by.Optional
Sort TimestampJinja-templated text containing the Sort by the timestamp, either asc or desOptional
ReportJinja-templated text containing the items related to a specific report, identified by its FPID.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS
1410

Get Event

Method to gather an event from the indicators API.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Event IDJinja-templated text containing the UUID or FPID that identifies a particular event.Required
FormatJinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP formatOptional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model
1448

Get Events

Method to gather events from the indicators API. This method is used to gather a list of events. Events are groupings of different indicators of compromise that contain metadata about the situation where these indicators have been observed.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Explode ResultsExplode each result in a separate row. (Default is Yes)Optional
LimitNumber of results to fetch. (Default is 1000)Optional
FormatJinja-templated text containing the format that is supposed to be displayed. Accepted values are FP, MISP, or CSV. Note: Attribute endpoint currently only accepts FP formatOptional
Start DateJinja-templated column name from the parent table that contains start date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
End DateJinja-templated column name from the parent table that contains end date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Updated SinceJinja-templated text containing the values created after the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Updated UntillJinja-templated text containing the values updated or created until the specified date. Date format is in UTC and follows ISO_8601 or relative values. Example: YYYY-MM-DD or 30s, 5m, 2h, 3d, 2w, 3M, 2yOptional
Search TagJinja-templated text containing the Search for a keyword inside the Tags. Can have multiple keywords in a list, such as malware, ransomware.Optional
Search FieldJinja-templated text containing the Search specific value types. This should be a string of the format a=something, b>10 for each comparison.Optional
Attack IDsJinja-templated text containing a comma-delimited list of MITRE ATTACK ids to filter events by.Optional
Sort TimestampJinja-templated text containing the Sort by the timestamp, either asc or desOptional
ReportJinja-templated text containing the items related to a specific report, identified by its FPID.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model breach
1458

Search Datasets

General search method. This method is used to execute queries against the Flashpoint Search API. It accepts a variety of keyword arguments corresponding to the Search API parameters. It also accepts a basetypes parameter to easily run broad queries on specific basetypes.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Explode ResultsExplode each result in a separate row. (Default is Yes)Optional
BasetypesJinja-templated text containing a list of basetype strings. The module fp_sdk. basetypes exists to assist with using basetypes. Example: ["conversation", "chat", "telegram", "container"]Optional
QueryJinja-templated text containing the Free text search query using ES URI search. Either query or q parameter is required. If both are provided the query takes precedence and q is ignored.Required
LimitNumber of results to fetch. (Default is 1000)Optional
SortJinja-templated text containing a list of field:order pairs to sort the results by. Example: [“created_at:desc”, “author:asc”]Optional
SourceJinja-templated text that return _source object from returned hitsOptional
FieldsJinja-templated text containing a list of fields to search against. Applies to query terms that don’t have fields names explicitly set in the query string.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of Breach ID details
1454

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.0.1 - Added 5 new actions.

© 2017-2021 LogicHub®. All Rights Reserved.