Updated on 2026-07-01 GMT+08:00

ThreatBook

Function Description

This plugin has been built in SecMaster. It can call ThreatBook (ThreatBook online X intelligence community) to query threat indicators.

Each built-in plugin has a corresponding built-in operation connection.

Viewing Details and Operation Connections of the ThreatBook Plugin

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Security Orchestration > Plugins.

    Figure 2 Plugins page

  5. On the Plugins page, select the ThreatBook plugin under the ThreatBook catalog. The Details tab is displayed by default. The Details tab displays the login credential information of the operation connection associated with the plugin.
  6. Click the Operation Connections tab for the ThreatBook plugin. On the displayed page, you can view information about the operation connections associated with the ThreatBook plugin.
  7. For details about how to edit or delete an operation connection, see Editing an Operation Connection and Deleting an Operation Connection. For details about how to add an operation connection for a plugin, see Creating an Operation Connection. A plugin can have multiple operation connections.

Plugin Execution Function getThreatBookInfo

Parameters of the getThreatBookInfo Function

Function: Calls ThreatBook (ThreatBook online X intelligence community) to query threat indicators.

Table 1 Input parameters of the getThreatBookInfo function

Parameter

Parameter Type

Parameter Description

Mandatory

inputData

String

Value of the query object, which corresponds to type.

  • If sourceType is set to ip, set data to the IP address of the indicator, for example, 0.0.0.0.
  • If sourceType is set to domain, set data to the specific domain name of the indicator, for example, xxxx.com.
  • If sourceType is set to filehash, set data to the hash value of the indicator file.

Yes

sourceType

String

Data type of the threat indicator object. Value range: Only filehash, ip, and domain are supported. Uppercase letters and other values are not supported.

Yes

language

String

Response language of the query result. The value can be zh or en. Uppercase letters and other values are not supported.

zh indicates that the query result is displayed in simplified Chinese. en indicates that the query result is displayed in English.

Yes

Table 2 Output parameters of the getThreatBookInfo function

Parameter

Parameter Type

Parameter Description

header

Object

Response header. It includes basic information about the request and response, such as the request time, response service, and request ID.

code

Int

Status code, which indicates whether the request is successful.

Response code description:

  • If the value of code is 200, the request is successful.
  • If the value of code is 401, the account or password is incorrect.
  • If the value of code is 403, the permission is insufficient.
  • If the value of code is 404, the requested resource does not exist.

body

Object

Content details returned by the API, including details about related indicators.

Output Example of the getThreatBookInfo Function

{
  "data": {
    "severity": "info",
    "is_malicious": false,
    "tags_classes": [
      {
        "tags_type": "public_info",
        "tags": [
          "GoogleCloud"
        ]
      }
    ],
    "update_time": "2026-04-14 06:08:38",
    "judgments": [
      "Gateway",
      "Whitelist",
      "CDN"
    ],
    "confidence_level": "high",
    "orikey": "8.8.8.8",
    "permalink": "https://x.threatbook.com/v5/ip/8.8.8.8",
    "basic": {
      "carrier": "Google LLC",
      "location": {
        "country": "United States",
        "country_code": "US",
        "province": "",
        "lng": "-101.407912",
        "city": "",
        "lat": "39.765054"
      }
    },
    "asn": {
      "number": 15169,
      "rank": 4,
      "info": "GOOGLE"
    },
    "scene": "Cloud Provider"
  },
  "logMsg": [],
  "status": "success"
}