Digital Shadows SearchLight Integration Configuration Guide
- 17 Mar 2024
- 4 Minutes to read
-
Print
-
DarkLight
Digital Shadows SearchLight Integration Configuration Guide
- Updated on 17 Mar 2024
- 4 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Software Version
This guide applies to the Digital Shadows SearchLight App version 1.0.x.
Overview
The ThreatConnect® integration with Digital Shadows SearchLight provides an unparalleled vantage point for quickly discovering and removing information on which adversaries rely to hone attacks. It also enables you ingest and act on real-time exploit and vulnerability data essential for tuning layered security defenses and to import intelligence incidents, threats, and IOCs from the Digital Shadows API into ThreatConnect.
Dependencies
ThreatConnect Dependencies
- ThreatConnect instance with version 6.2 or newer installed
Note
All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.
Digital Shadows Dependencies
- Active subscription to Digital Shadows SearchLight with API key
Application Setup and Configuration
Organization Administrators should set up and configure the Digital Shadows SearchLight App. See Creating Jobs Using TC Exchange Apps for instructions on how to set up and configure a Job App. It is highly recommended to review the App configuration prior to running or activating the corresponding Job.
Configuration Parameters
Parameter Definitions
The parameters defined in Table 1 apply to the configuration parameters during the Job-creation process.
| Name | Description | Required? |
|---|---|---|
| Source Tab | ||
| Job Name | The name of the Job to be created. | Yes |
| Run Program | Select Digital Shadows SearchLight (1.0.2). | Yes |
| Parameters Tab | ||
| Api User | The name of the ThreatConnect API user. | Yes |
| Digital Shadows API Key | The API key provided by Digital Shadows SearchLight. | Yes |
| Digital Shadows API Secret | The API secret provided by Digital Shadows SearchLight. | Yes |
| ThreatConnect Default Organization | The ThreatConnect owner to ingest Indicators into. | Yes |
| Default Threat Rating | The Threat Rating to apply to all ingested Indicators. | No |
| Default Confidence Rating | The Confidence Rating to apply to all ingested Indicators. | No |
| Last Run | The last time the Job successfully ran. | No |
| Logging Level | Determines the verbosity of the logging output for the App. It should not be used unless debugging is necessary. | No |
| Schedule Tab | ||
| Schedule | Select the type of interval at which to run the Job. | Yes |
| At | Enter the time of day at which the Job should run. If you selected Daily for Schedule, you can select Every instead of At to run the Job more frequently than once per day. If you selected Weekly for Schedule, select the day(s) of the week on which the Job should run. If you selected Monthly for Schedule, select the day(s)of the month on which the Job should run. | Yes unless Schedule is Daily and Every is selected |
| Every | Select the frequency at which the Job should run and the time window in which it should run at that frequency. | No unless Schedule is Daily and At is not selected |
| Output Tab | ||
| Enable Notifications | Select this checkbox to allow the Job to send notifications to a designated email address. | No |
| Email Address | Enter the email address that should receive notifications about the Job. | No |
| Notify on Job Result | Select the Job result(s) for which notifications should be sent. | No |
| Attachments | Select the Include Log Files (1MB file size limit) checkbox to include log files as attachments to notification. | No |
Data Mappings
The data mappings in Table 2 through Table 9 illustrate how data are mapped from Digital Shadows SearchLight into the ThreatConnect data model.
Actors
ThreatConnect object type: Adversary Group
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| id | Attribute: "External ID" |
| primaryTag/{index}/id | >N/A |
| primaryTag/{index}/name | Name/Summary |
| primaryTag/{index}/type | N/A |
| type | N/A |
| threatLevel/type | Attribute: "Threat Level" |
| threatLevel/reason | Attribute: "Additional Analysis and Context" |
| activityLevel | Attribute: "Activity Level" |
| summary | Attribute: "Description" |
| overview | Attribute: "Additional Analysis and Context" |
| lastActive | Attribute: "Last Seen" |
| overviewTags/{index}/id | N/A |
| overviewTags/{index}/name | Tag: "%s: %s" % (type, name) |
| overviewTags/{index}/type | |
| imageId | N/A |
| imageThumbnailId | N/A |
| tacticDescription | Attribute: "Additional Analysis and Context" |
| tacticTags/{index}/id | N/A |
| tacticTags/{index}/name | Attribute: "Tactics, Techniques, and Procedures" |
| tacticTags/{index}/type | N/A |
| tacticTags/{index}/parent/id | N/A |
| motivationTags/{index}/id | N/A |
| motivationTags/{index}/name | Attribute: "Adversary Motivation Type" |
| motivationTags/{index}/type | N/A |
| motivationTags/{index}/parent/id | N/A |
| primaryLanguageTags/{index}/id | N/A |
| primaryLanguageTags/{index}/name | Attribute: "Languages" |
| primaryLanguageTags/{index}/type | N/A |
| primaryLanguageTags/{index}/parent/id | N/A |
| sourceGeographyTags/{index}/id | N/A |
| sourceGeographyTags/{index}/name | Attribute: "Adversary Origin & Source" |
| sourceGeographyTags/{index}/type | N/A |
| sourceGeographyTags/{index}/parent/id | N/A |
| actorTypeTags/{index}/id | N/A |
| actorTypeTags/{index}/name | Attribute: "Adversary Type" |
| actorTypeTags/{index}/type | N/A |
| actorTypeTags/{index}/parent/id | N/A |
| targetGeographyTags/{index}/id | N/A |
| targetGeographyTags/{index}/name | Attribute: "Targeted Location" |
| targetGeographyTags/{index}/type | N/A |
| targetGeographyTags/{index}/parent/id | N/A |
| targetSectorTags/{index}/id | N/A |
| targetSectorTags/{index}/name | Attribute: "Targeted Industry Sector" |
| targetSectorTags/{index}/type | N/A |
| targetSectorTags/{index}/parent/id | N/A |
| specifiedTargetTags/{index}/id | N/A |
| specifiedTargetTags/{index}/name | Attribute: "Targeted Identity" |
| specifiedTargetTags/{index}/type | N/A |
| specifiedTargetTags/{index}/parent/id | N/A |
| intendedEffectTags/{index}/id | N/A |
| intendedEffectTags/{index}/name | Attribute: "Intent" |
| intendedEffectTags/{index}/type | N/A |
| intendedEffectTags/{index}/parent/id | N/A |
| impactEffectTags/{index}/id | N/A |
| impactEffectTags/{index}/name | Attribute: "Impact Description" |
| impactEffectTags/{index}/type | N/A |
| impactEffectTags/{index}/parent/id | N/A |
| associatedActorTags/{index}/id | N/A |
| associatedActorTags/{index}/name | N/A |
| associatedActorTags/{index}/type | N/A |
| associatedActorTags/{index}/parent/id | N/A |
| associatedCampaignTags/{index}/id | N/A |
| associatedCampaignTags/{index}/name | N/A |
| associatedCampaignTags/{index}/type | N/A |
| associatedCampaignTags/{index}/parent/id | N/A |
| associatedEvents | N/A (no sample data found) |
| sites | N/A (no sample data found) |
| detailLevel | N/A (no sample data found) |
| indicatorOfCompromiseCount | N/A |
| aptReports/{index}/id | Adversary-to-Report association |
| knownMembers | N/A (no sample data found) |
| associatedLocations | N/A (no sample data found) |
| attackIncidents | N/A (no sample data found) |
| identifiers | N/A (no sample data found) |
Actors Associated Indicators
ThreatConnect object type: Indicator
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| content/{index}/id | Attribute: "External ID" |
| content/{index}/type | SHA256 → Indicator Type: File SHA1 → Indicator Type: File MD5 → Indicator Type: File IP → Indicator Type: Address HOST → Indicator Type: Host |
| entity/idcontent/{index}/value | Indicator: Value |
| content/{index}/aptReport/id | Each Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship. |
Campaigns
ThreatConnect object type: Campaign Group
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| id | Attribute: "External ID" |
| primaryTag/{index}/id | N/A |
| primaryTag/{index}/name | N/A |
| primaryTag/{index}/type | N/A |
| type | N/A |
| threatLevel/type | Attribute: "Threat Level" |
| threatLevel/reason | Attribute: "Additional Analysis and Context" |
| activityLevel | Attribute: "Activity Level" |
| summary | Attribute: "Description" |
| overview | Attribute: "Additional Analysis and Context" |
| lastActive | Attribute: "External Date Last Modified" |
| overviewTags/{index}/id | N/A |
| overviewTags/{index}/name | Tag: <type>: <name> |
| overviewTags/{index}/type | |
| imageId | N/A |
| imageThumbnailId | N/A |
| tacticDescription | Attribute: "Additional Analysis and Context" |
| tacticTags/{index}/id | N/A |
| tacticTags/{index}/name | Attribute: "Tactics, Techniques, and Procedures" |
| tacticTags/{index}/type | N/A |
| tacticTags/{index}/parent/id | N/A |
| motivationTags/{index}/id | N/A |
| motivationTags/{index}/name | Attribute: "Adversary Motivation Type" |
| motivationTags/{index}/type | N/A |
| motivationTags/{index}/parent/id | N/A |
| primaryLanguageTags/{index}/id | N/A |
| primaryLanguageTags/{index}/name | Attribute: "Languages" |
| primaryLanguageTags/{index}/type | N/A |
| primaryLanguageTags/{index}/parent/id | N/A |
| sourceGeographyTags/{index}/id | N/A |
| sourceGeographyTags/{index}/name | Attribute: "Adversary Origin & Source" |
| sourceGeographyTags/{index}/type | N/A |
| sourceGeographyTags/{index}/parent/id | N/A |
| actorTypeTags/{index}/id | N/A |
| actorTypeTags/{index}/name | Attribute: "Adversary Type" |
| actorTypeTags/{index}/type | N/A |
| actorTypeTags/{index}/parent/id | N/A |
| targetGeographyTags/{index}/id | N/A |
| targetGeographyTags/{index}/name | Attribute: "Targeted Location" |
| targetGeographyTags/{index}/type | N/A |
| targetGeographyTags/{index}/parent/id | N/A |
| targetSectorTags/{index}/id | N/A |
| targetSectorTags/{index}/name | Attribute: "Targeted Industry Sector" |
| targetSectorTags/{index}/type | N/A |
| targetSectorTags/{index}/parent/id | N/A |
| specifiedTargetTags/{index}/id | N/A |
| specifiedTargetTags/{index}/name | Attribute: "Targeted Identity" |
| specifiedTargetTags/{index}/type | N/A |
| specifiedTargetTags/{index}/parent/id | N/A |
| intendedEffectTags/{index}/id | N/A |
| intendedEffectTags/{index}/name | Attribute: "Intent" |
| intendedEffectTags/{index}/type | N/A |
| intendedEffectTags/{index}/parent/id | N/A |
| impactEffectTags/{index}/id | N/A |
| impactEffectTags/{index}/name | Attribute: "Impact Description" |
| impactEffectTags/{index}/type | N/A |
| impactEffectTags/{index}/parent/id | N/A |
| associatedActorTags/{index}/id | N/A |
| associatedActorTags/{index}/name | N/A |
| associatedActorTags/{index}/type | N/A |
| associatedActorTags/{index}/parent/id | N/A |
| associatedCampaignTags/{index}/id | N/A |
| associatedCampaignTags/{index}/name | N/A |
| associatedCampaignTags/{index}/type | N/A |
| associatedCampaignTags/{index}/parent/id | N/A |
| associatedEvents/{index}/id | Campaign-to-Event association |
| sites | N/A |
| detailLevel | N/A |
| indicatorOfCompromiseCount | N/A |
| aptReports/{index}/id | Campaign-to-Report association |
| knownMembers | N/A |
| associatedLocations | N/A |
| attackIncidents/{index}/id | Campaign-to-Report association |
| identifiers | N/A |
| attackEvidenceIncidents/{index}/id | Campaign-to-Report association |
| announcementIncidents/{index}/id | Campaign-to-Report association |
| startDate | Attribute: "First Seen" |
| endDate | Attribute: "Last Seen" |
| recurring | N/A |
Campaigns Associated Indicators
ThreatConnect object type: Indicator
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| content/{index}/id | Attribute: "External ID" |
| content/{index}/type | SHA256 → Indicator Type: File SHA1 → Indicator Type: File MD5 → Indicator Type: File IP → Indicator Type: Address HOST → Indicator Type: Host |
| content/{index}/aptReport/id | Indicator: Value |
| entity/idcontent/{index}/aptReport/id | Each Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship. |
Events
ThreatConnect object type: Event Group
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| content/{index}/id | Attribute: "External ID" |
| content/{index}/type | SHA256 → Indicator Type: File SHA1 → Indicator Type: File MD5 → Indicator Type: File IP → Indicator Type: Address HOST → Indicator Type: Host |
| content/{index}/value | Indicator: Value |
| content/{index}/aptReport/id | Each Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship. |
Events Associated Indicators
ThreatConnect object type: Indicator
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| content/{index}/id | Attribute: "External ID" |
| content/{index}/type | SHA256 → Indicator Type: File SHA1 → Indicator Type: File MD5 → Indicator Type: File IP → Indicator Type: Address HOST → Indicator Type: Host |
| content/{index}/value | Indicator: Value |
| analystNotes/idcontent/{index}/aptReport/id | Each Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship. |
Incidents
ThreatConnect object type: Report Group
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| id | Attribute: "External ID" |
| scope | Attribute: "Threat Scope" |
| type | Attribute: "Report Category" |
| severity | Attribute: "Threat Level" |
| title | Name/Summary |
| published | Publish Date |
| closedSource | N/A |
| summary | Attribute: Description (default) |
| modified | Attribute: "External Date Last Modified" |
| occurred | Attribute: "First Seen" |
| verified | Attribute: "Time Verified" |
| tags/{index}/id | N/A |
| tags/{index}/name | Tag: "%s: %s" % (type, name) |
| tags/{index}/type | |
| version | Attribute: "Version" |
| score | Attribute: "Impact Score" |
| entitySummary/source | Attribute: "Source" |
| entitySummary/summaryText | N/A |
| entitySummary/domain | N/A |
| entitySummary/sourceDate | N/A |
| entitySummary/type | N/A |
| entitySummary/contentRemoved | N/A |
| entitySummary/screenshot/id | N/A |
| entitySummary/screenshot/link | Attribute: "External References" |
| entitySummary/screenshot/thumbnail/id | N/A |
| entitySummary/screenshot/thumbnail/link | Attribute: "External References" |
| entitySummary/screenshotId | N/A |
| entitySummary/screenshotThumbnailId | N/A |
| description | Description |
| internal | N/A |
| restrictedContent | N/A |
| indicatorOfCompromiseCount | N/A |
Incidents Associated Indicators
ThreatConnect object type: Indicator
| Digital Shadows API Field | ThreatConnect Field |
|---|---|
| content/{index}/id | Attribute: "External ID" |
| content/{index}/type | SHA256 → Indicator Type: File SHA1 → Indicator Type: File MD5 → Indicator Type: File IP → Indicator Type: Address HOST → Indicator Type: Host URL → Indicator Type: URL |
| content/{index}/value | Indicator: Value |
| content/{index}/aptReport/id | Each Indicator of this type is related to the Report object represented by this id. An association is created in ThreatConnect to show this relationship. |
| content/{index}/source | Attribute: "Source" |
| content/{index}/lastUpdated | Attribute: "External Date Last Modified" |
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Digital Shadows SearchLight™ is a trademark of Digital Shadows Ltd.
30004-05 EN Rev. A
Was this article helpful?
