SecLytics API - RandomRhythm/Vendor-Threat-Triage-Lookup GitHub Wiki

SecLytics API

The VTTL integration of the SecLytics API covers domain/IP address and hash lookups. Three columns are output to the csv/spreadsheet for domain/IP addresses.

SecLytics Reputation and Reason Column

The “SecLytics Reputation and Reason” column takes keywords from the context section for the IP/domain and deduplicates them into the spreadsheet cell value. Multiple keywords are separated by the ^ character.

SecLytics Associated File Metadata Column

The “SecLytics Associated File Metadata” column is output for both domain/IP address and hash lookups. This column is populated with keywords from the context section of the SecLytics API.

Associated File Metadata Log Output

VTTL currently excludes URLs, hashes, and IP addresses. URLs, hashes and IP addresses are too lengthy to include in the spreadsheet output. These are instead output to files where the “UniqueString” is epoch time of the start of the script:

  • IPs_Seclytic_UniqueString.log

  • Hashes_Seclytic_UniqueString.log

  • URLs_Seclytic_UniqueString.log

The above log files are controlled via Boolean settings in the ini.

LogURLs=True

LogHashes=True

LogIPs=True

SecLytics File Count Column

Lastly is the column for the SecLytics File Count. This provides a count of files that were used to populate the “SecLytics Associated File Metadata” column. It is simply a count of the hashes presented in the API output for domain/IP address lookups.

IP Address Column (Passive DNS)

If not already populated, the API integration will add passive DNS IP resolution for the domain lookup to the spreadsheet. When a passive DNS IP address is identified, VTTL runs a sinkhole check against it. The IP address is also added to the lookup list, if not already in the list, to provide further context.

Watchlists

The SecLytics API integration also makes use of the keywords watchlist. SecLytics provides sandbox results, passive DNS, virus detection names, malware families, etc. so matching against the watchlist could identify certain specified keywords within the list. The way this works is the API returned HTTP response body is run against the watchlist to check for and report on text matches.

VTTL will perform URL matching for URLs identified in the API response against the URL watchlist. Domain/IP addresses are checked against the IP/Domain watchlist. Actually, anything that looks like a domain name will be checked against the watchlist. The same goes for detection names and the detection name watchlist.

Whois Column

VTTL will use the ASN value provided by SecLytics to populate the whois column if not already populated. If no ASN is provided in the API results then whois results are parsed to get the organization name. This is only for IP addresses and not domains.

Validation Column

The AlienVault Validation column has been shorted to Validation and is now used by both AlienVault OTX and SecLytics. The SecLytics API provides whitelist information for domains and IP addresses, which will be populated in the Validation column. If AlienVault OTX already populated the Validation column, then Seclytic validation will be skipped.

Date First Seen (Hash Lookups)

For hash lookups the SecLytics API lookup will populate the Date first seen column when a API query match was returned.