Digital Shadows SearchLight Integration Configuration Guide
  • 17 Mar 2024
  • 4 Minutes to read
  • Dark
    Light

Digital Shadows SearchLight Integration Configuration Guide

  • Dark
    Light

Article summary

Software Version
This guide applies to the Digital Shadows SearchLight App version 1.0.x.

Overview

The ThreatConnect® integration with Digital Shadows SearchLight provides an unparalleled vantage point for quickly discovering and removing information on which adversaries rely to hone attacks. It also enables you ingest and act on real-time exploit and vulnerability data essential for tuning layered security defenses and to import intelligence incidents, threats, and IOCs from the Digital Shadows API into ThreatConnect.

Dependencies

ThreatConnect Dependencies

  • ThreatConnect instance with version 6.2 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

 Digital Shadows Dependencies

  • Active subscription to Digital Shadows SearchLight with API key

Application Setup and Configuration

Organization Administrators should set up and configure the Digital Shadows SearchLight App. See Creating Jobs Using TC Exchange Apps for instructions on how to set up and configure a Job App. It is highly recommended to review the App configuration prior to running or activating the corresponding Job.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters during the Job-creation process.

 

NameDescriptionRequired?
Source Tab
Job NameThe name of the Job to be created.Yes
Run ProgramSelect Digital Shadows SearchLight (1.0.2).Yes
Parameters Tab
Api UserThe name of the ThreatConnect API user.Yes
Digital Shadows API KeyThe API key provided by Digital Shadows SearchLight.Yes
Digital Shadows API SecretThe API secret provided by Digital Shadows SearchLight.Yes
ThreatConnect Default OrganizationThe ThreatConnect owner to ingest Indicators into.Yes
Default Threat RatingThe Threat Rating to apply to all ingested Indicators.No
Default Confidence RatingThe Confidence Rating to apply to all ingested Indicators.No
Last RunThe last time the Job successfully ran.No
Logging LevelDetermines the verbosity of the logging output for the App. It should not be used unless debugging is necessary.No
Schedule Tab
ScheduleSelect the type of interval at which to run the Job.Yes
AtEnter the time of day at which the Job should run. If you selected Daily for Schedule, you can select Every instead of At to run the Job more frequently than once per day. If you selected Weekly for Schedule, select the day(s) of the week on which the Job should run. If you selected Monthly for Schedule, select the day(s)of the month on which the Job should run.Yes unless Schedule is Daily and Every is selected
EverySelect the frequency at which the Job should run and the time window in which it should run at that frequency.No unless Schedule is Daily and At is not selected
Output Tab
Enable NotificationsSelect this checkbox to allow the Job to send notifications to a designated email address.No
Email AddressEnter the email address that should receive notifications about the Job.No
Notify on Job ResultSelect the Job result(s) for which notifications should be sent.No
AttachmentsSelect the Include Log Files (1MB file size limit) checkbox to include log files as attachments to notification.No

Data Mappings

The data mappings in Table 2 through Table 9 illustrate how data are mapped from Digital Shadows SearchLight into the ThreatConnect data model.

Actors

ThreatConnect object type: Adversary Group

 

Digital Shadows API FieldThreatConnect Field
idAttribute: "External ID"
primaryTag/{index}/id>N/A
primaryTag/{index}/nameName/Summary
primaryTag/{index}/typeN/A
typeN/A
threatLevel/typeAttribute: "Threat Level"
threatLevel/reasonAttribute: "Additional Analysis and Context"
activityLevelAttribute: "Activity Level"
summaryAttribute: "Description"
overviewAttribute: "Additional Analysis and Context"
lastActiveAttribute: "Last Seen"
overviewTags/{index}/idN/A
overviewTags/{index}/nameTag: "%s: %s" % (type, name)
overviewTags/{index}/type
imageIdN/A
imageThumbnailIdN/A
tacticDescriptionAttribute: "Additional Analysis and Context"
tacticTags/{index}/idN/A
tacticTags/{index}/nameAttribute: "Tactics, Techniques, and Procedures"
tacticTags/{index}/typeN/A
tacticTags/{index}/parent/idN/A
motivationTags/{index}/idN/A
motivationTags/{index}/nameAttribute: "Adversary Motivation Type" 
motivationTags/{index}/typeN/A
motivationTags/{index}/parent/idN/A
primaryLanguageTags/{index}/idN/A
primaryLanguageTags/{index}/nameAttribute: "Languages"
primaryLanguageTags/{index}/typeN/A
primaryLanguageTags/{index}/parent/idN/A
sourceGeographyTags/{index}/idN/A
sourceGeographyTags/{index}/nameAttribute: "Adversary Origin & Source"
sourceGeographyTags/{index}/typeN/A
sourceGeographyTags/{index}/parent/idN/A
actorTypeTags/{index}/idN/A
actorTypeTags/{index}/nameAttribute: "Adversary Type"
actorTypeTags/{index}/typeN/A
actorTypeTags/{index}/parent/idN/A
targetGeographyTags/{index}/idN/A
targetGeographyTags/{index}/nameAttribute: "Targeted Location"
targetGeographyTags/{index}/typeN/A
targetGeographyTags/{index}/parent/idN/A
targetSectorTags/{index}/idN/A
targetSectorTags/{index}/nameAttribute: "Targeted Industry Sector" 
targetSectorTags/{index}/typeN/A
targetSectorTags/{index}/parent/idN/A
specifiedTargetTags/{index}/idN/A
specifiedTargetTags/{index}/nameAttribute: "Targeted Identity"
specifiedTargetTags/{index}/typeN/A
specifiedTargetTags/{index}/parent/idN/A
intendedEffectTags/{index}/idN/A
intendedEffectTags/{index}/nameAttribute: "Intent"
intendedEffectTags/{index}/typeN/A
intendedEffectTags/{index}/parent/idN/A
impactEffectTags/{index}/idN/A
impactEffectTags/{index}/nameAttribute: "Impact Description"
impactEffectTags/{index}/typeN/A
impactEffectTags/{index}/parent/idN/A
associatedActorTags/{index}/idN/A
associatedActorTags/{index}/nameN/A
associatedActorTags/{index}/typeN/A
associatedActorTags/{index}/parent/idN/A
associatedCampaignTags/{index}/idN/A
associatedCampaignTags/{index}/nameN/A
associatedCampaignTags/{index}/typeN/A
associatedCampaignTags/{index}/parent/idN/A
associatedEventsN/A (no sample data found)
sitesN/A (no sample data found)
detailLevelN/A (no sample data found)
indicatorOfCompromiseCountN/A
aptReports/{index}/idAdversary-to-Report association
knownMembersN/A (no sample data found)
associatedLocationsN/A (no sample data found)
attackIncidentsN/A (no sample data found)
identifiersN/A (no sample data found)

Actors Associated Indicators

ThreatConnect object type: Indicator

 

Digital Shadows API FieldThreatConnect Field
content/{index}/idAttribute: "External ID"
content/{index}/typeSHA256 → Indicator Type: File
SHA1 → Indicator Type: File
MD5 → Indicator Type: File
IP → Indicator Type: Address
HOST → Indicator Type: Host
entity/idcontent/{index}/valueIndicator: Value
content/{index}/aptReport/idEach Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship.

Campaigns

ThreatConnect object type: Campaign Group

 

Digital Shadows API FieldThreatConnect Field
idAttribute: "External ID"
primaryTag/{index}/idN/A
primaryTag/{index}/nameN/A
primaryTag/{index}/typeN/A
typeN/A
threatLevel/typeAttribute: "Threat Level"
threatLevel/reasonAttribute: "Additional Analysis and Context"
activityLevelAttribute: "Activity Level"
summaryAttribute: "Description"
overviewAttribute: "Additional Analysis and Context"
lastActiveAttribute: "External Date Last Modified"
overviewTags/{index}/idN/A
overviewTags/{index}/name

Tag: <type>: <name>

overviewTags/{index}/type
imageIdN/A
imageThumbnailIdN/A
tacticDescriptionAttribute: "Additional Analysis and Context"
tacticTags/{index}/idN/A
tacticTags/{index}/nameAttribute: "Tactics, Techniques, and Procedures"
tacticTags/{index}/typeN/A
tacticTags/{index}/parent/idN/A
motivationTags/{index}/idN/A
motivationTags/{index}/nameAttribute: "Adversary Motivation Type" 
motivationTags/{index}/typeN/A
motivationTags/{index}/parent/idN/A
primaryLanguageTags/{index}/idN/A
primaryLanguageTags/{index}/nameAttribute: "Languages"
primaryLanguageTags/{index}/typeN/A
primaryLanguageTags/{index}/parent/idN/A
sourceGeographyTags/{index}/idN/A
sourceGeographyTags/{index}/nameAttribute: "Adversary Origin & Source"
sourceGeographyTags/{index}/typeN/A
sourceGeographyTags/{index}/parent/idN/A
actorTypeTags/{index}/idN/A
actorTypeTags/{index}/nameAttribute: "Adversary Type"
actorTypeTags/{index}/typeN/A
actorTypeTags/{index}/parent/idN/A
targetGeographyTags/{index}/idN/A
targetGeographyTags/{index}/nameAttribute: "Targeted Location"
targetGeographyTags/{index}/typeN/A
targetGeographyTags/{index}/parent/idN/A
targetSectorTags/{index}/idN/A
targetSectorTags/{index}/nameAttribute: "Targeted Industry Sector"
targetSectorTags/{index}/typeN/A
targetSectorTags/{index}/parent/idN/A
specifiedTargetTags/{index}/idN/A
specifiedTargetTags/{index}/nameAttribute: "Targeted Identity"
specifiedTargetTags/{index}/typeN/A
specifiedTargetTags/{index}/parent/idN/A
intendedEffectTags/{index}/idN/A
intendedEffectTags/{index}/nameAttribute: "Intent"
intendedEffectTags/{index}/typeN/A
intendedEffectTags/{index}/parent/idN/A
impactEffectTags/{index}/idN/A
impactEffectTags/{index}/nameAttribute: "Impact Description"
impactEffectTags/{index}/typeN/A
impactEffectTags/{index}/parent/idN/A
associatedActorTags/{index}/idN/A
associatedActorTags/{index}/nameN/A
associatedActorTags/{index}/typeN/A
associatedActorTags/{index}/parent/idN/A
associatedCampaignTags/{index}/idN/A
associatedCampaignTags/{index}/nameN/A
associatedCampaignTags/{index}/typeN/A
associatedCampaignTags/{index}/parent/idN/A
associatedEvents/{index}/idCampaign-to-Event association
sitesN/A
detailLevelN/A
indicatorOfCompromiseCountN/A
aptReports/{index}/idCampaign-to-Report association
knownMembersN/A
associatedLocationsN/A
attackIncidents/{index}/idCampaign-to-Report association
identifiersN/A
attackEvidenceIncidents/{index}/idCampaign-to-Report association
announcementIncidents/{index}/idCampaign-to-Report association
startDateAttribute: "First Seen"
endDateAttribute: "Last Seen"
recurringN/A

Campaigns Associated Indicators

ThreatConnect object type: Indicator

 

Digital Shadows API FieldThreatConnect Field
content/{index}/idAttribute: "External ID"
content/{index}/typeSHA256 → Indicator Type: File
SHA1 → Indicator Type: File
MD5 → Indicator Type: File
IP → Indicator Type: Address
HOST → Indicator Type: Host
content/{index}/aptReport/idIndicator: Value
entity/idcontent/{index}/aptReport/idEach Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship.

Events

ThreatConnect object type: Event Group

 

Digital Shadows API FieldThreatConnect Field
content/{index}/idAttribute: "External ID"
content/{index}/typeSHA256 → Indicator Type: File
SHA1 → Indicator Type: File
MD5 → Indicator Type: File
IP → Indicator Type: Address
HOST → Indicator Type: Host
content/{index}/valueIndicator: Value
content/{index}/aptReport/idEach Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship.

Events Associated Indicators

ThreatConnect object type: Indicator

 

Digital Shadows API FieldThreatConnect Field
content/{index}/idAttribute: "External ID"
content/{index}/typeSHA256 → Indicator Type: File
SHA1 → Indicator Type: File
MD5 → Indicator Type: File
IP → Indicator Type: Address
HOST → Indicator Type: Host
content/{index}/valueIndicator: Value
analystNotes/idcontent/{index}/aptReport/idEach Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship.

Incidents

ThreatConnect object type: Report Group

 

Digital Shadows API FieldThreatConnect Field
idAttribute: "External ID"
scopeAttribute: "Threat Scope"
typeAttribute: "Report Category"
severityAttribute: "Threat Level"
titleName/Summary
publishedPublish Date
closedSourceN/A
summaryAttribute: Description (default)
modifiedAttribute: "External Date Last Modified"
occurredAttribute: "First Seen"
verifiedAttribute: "Time Verified"
tags/{index}/idN/A
tags/{index}/nameTag: "%s: %s" % (type, name)
tags/{index}/type
versionAttribute: "Version"
scoreAttribute: "Impact Score"
entitySummary/sourceAttribute: "Source"
entitySummary/summaryTextN/A
entitySummary/domainN/A
entitySummary/sourceDateN/A
entitySummary/typeN/A
entitySummary/contentRemovedN/A
entitySummary/screenshot/idN/A
entitySummary/screenshot/linkAttribute: "External References"
entitySummary/screenshot/thumbnail/idN/A
entitySummary/screenshot/thumbnail/linkAttribute: "External References"
entitySummary/screenshotIdN/A
entitySummary/screenshotThumbnailIdN/A
descriptionDescription
internalN/A
restrictedContentN/A
indicatorOfCompromiseCountN/A

Incidents Associated Indicators

ThreatConnect object type: Indicator

 

Digital Shadows API FieldThreatConnect Field
content/{index}/idAttribute: "External ID"
content/{index}/typeSHA256 → Indicator Type: File
SHA1 → Indicator Type: File
MD5 → Indicator Type: File
IP → Indicator Type: Address
HOST → Indicator Type: Host
URL → Indicator Type: URL
content/{index}/valueIndicator: Value
content/{index}/aptReport/idEach Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship.
content/{index}/source
Attribute: "Source"
content/{index}/lastUpdated
Attribute: "External Date Last Modified"

ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
 Digital Shadows SearchLight™ is a trademark of Digital Shadows Ltd.

30004-05 EN Rev. A


Was this article helpful?