The AliyunThreatIntelligence component queries Alibaba Cloud threat intelligence to determine whether an IP address, domain, or file is malicious. Use it in Security Operations Center (SOC) playbooks to automate threat classification and triage decisions.
Actions
| Action | Description | Use case |
|---|---|---|
describeInformation | Queries Alibaba Cloud threat intelligence. | Check whether an IP address, file hash, or domain is malicious. |
Input parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
entityType | String | Yes | The entity type to query. Valid values: ip, file, domain. |
entityValue | String | Yes | The value to query. Format depends on entityType. |
`entityValue` format by entity type:
entityType | Format | Example |
|---|---|---|
ip | IP address | 192.0.XX.XX |
file | File MD5 hash | b4208cc50cb*0f82a47d*fde4312a |
domain | Domain name. Wildcard domains are supported. | example.com |
Decision guide
Use ThreatLevel and Confidence together to decide whether to block or allow traffic.
| ThreatLevel | Meaning | Confidence >= 90 | Confidence 60–89 | Confidence < 60 |
|---|---|---|---|---|
| 3 | High risk | Block | Investigate | Low confidence |
| 2 | Medium risk | Investigate | Investigate | Low confidence |
| 1 | Low risk / suspicious | Investigate | Supplementary data | Low confidence |
| 0 | Normal (allowlist) | Allow | Allow | Allow |
| -1 | Unknown | — | — | — |
Confidence ranges:
90–100: Highly reliable. Block on
ThreatLevel=3; allow onThreatLevel=0.60–89: Somewhat reliable. Use as supplementary data for analysis, not as the sole basis for blocking.
Below 60: Low confidence. Treat with caution.
Output reference
IP type
Output parameters
| Parameter | Type | Description |
|---|---|---|
ThreatLevel | Number | Threat level: 3 = high risk, 2 = medium risk, 1 = low risk/suspicious, 0 = normal (allowlist), -1 = unknown. |
Confidence | Number | Confidence in the result. Range: 0–100. Higher values indicate greater certainty. |
ThreatTypes | JSON string | Risk tags from threat intelligence and security event analysis. See fields below. |
Intelligences | JSON array | Threat intelligence event details. See fields below. |
AttackPreferenceTop5 | JSON array | Top five industries targeted by this IP. See fields below. |
AttackCntByThreatType | JSON array | Attack count grouped by MITRE ATT&CK stage. See fields below. |
Ip | JSON object | Basic IP geolocation and network information. See fields below. |
Whois | String | Whois registration information for the IP address. |
Scenario | String | Attack scenario classification. See values below. |
RequestId | String | Unique request ID generated by Alibaba Cloud. |
`ThreatTypes` fields:
| Field | Description |
|---|---|
threat_type | Threat type. Common values: IDC (IDC server), Tor (dark web), Proxy, NAT (public exit), Miner Pool, C&C Server (command-and-control), Brute Force, Malicious Login, WEB Attack, Malicious Source, Network Service Scanning, Exploit, Network Share Discovery, Scheduled Task (Windows), BITS Jobs, Command-Line Interface, Mshta execution, Regsvr32, Signed Binary Proxy Execution, Local Job Scheduling (Linux), Rundll32, Web Shell, SQL Injection, XSS Attack |
threat_type_desc | Tag description. |
risk_type | Threat level: 3 = high risk, 2 = medium risk, 1 = suspicious, 0 = normal, -1 = unknown. |
scenario | Security scenario: attack indicator or compromise indicator. |
first_find_time | Time the tag was first applied. |
last_find_time | Time the tag was last applied. |
attck_stage | Related MITRE ATT&CK stage. |
`Intelligences` fields:
| Field | Description |
|---|---|
source | Source of the threat intelligence event. |
first_find_time | Time the event was first discovered. |
last_find_time | Last active time. |
threat_type_l2 | Detailed threat tags, such as family/group tags (for example, Mykings) or attack methods (for example, SQL injection). |
`AttackPreferenceTop5` fields:
| Field | Description |
|---|---|
event_cnt | Number of attacks. |
industry_name | Industry category of the attack target. |
gmt_last_attack | Time of the most recent attack. |
`AttackCntByThreatType` fields:
| Field | Description |
|---|---|
event_cnt | Number of attacks. |
threat_type | Related MITRE ATT&CK stage. |
`Ip` fields:
| Field | Description |
|---|---|
ip | IP address. |
idc_name | IDC server name. |
isp | Internet service provider (ISP). |
country | Country. |
province | Province. |
city | City. |
asn | Autonomous System Number (ASN). |
asn_label | ASN name. |
`Scenario` values:
| Value | Description |
|---|---|
| Attack indicator | This IP actively initiates attack traffic. Match it on security devices such as firewalls or WAFs as an external-to-internal source and block based on its tags. |
| Compromise indicator | Attackers use scripts or malware that communicate with this IP for command and data transfer. Detecting this IP in traffic or logs means the host is already compromised. |
| Information data | Includes allowlisted entries. This field contains informational data only and poses no risk. |
Example output
{
"Context": "",
"Group": "",
"Whois": "",
"AttackCntByThreatType": [
{
"event_cnt": 1,
"threat_type": "Application layer intrusion"
}
],
"ThreatLevel": -1,
"Confidence": "",
"Ip": {
"country": "",
"province": "",
"city": "",
"ip": "127.0.0.1",
"isp": "",
"asn": "",
"asn_label": ""
},
"ThreatTypes": "",
"Intelligences": [],
"AttackPreferenceTop5": [
{
"event_cnt": 2407,
"industry_name": "IoT",
"gmt_last_attack": "2021-12-15 23:59:15"
},
{
"event_cnt": 4813,
"industry_name": "Manufacturing",
"gmt_last_attack": "2021-12-15 23:59:49"
},
{
"event_cnt": 2240,
"industry_name": "Finance",
"gmt_last_attack": "2021-12-15 23:59:41"
},
{
"event_cnt": 16954,
"industry_name": "Retail",
"gmt_last_attack": "2021-12-15 23:59:31"
},
{
"event_cnt": 28764,
"industry_name": "Internet",
"gmt_last_attack": "2021-12-15 23:59:48"
}
],
"Scenario": ""
}File type
Output parameters
| Parameter | Type | Description |
|---|---|---|
ThreatLevel | Number | Threat level: 3 = high risk, 2 = medium risk, 1 = suspicious, 0 = normal, -1 = unknown. |
Intelligences | JSON array | Threat intelligence events for this file. Array elements include DDoS Trojans, mining programs, network-layer intrusions, network service scans, network share discoveries, miner pools, exploits, dark web activity, malicious logins, malicious download sources, C&C servers, Web Shells, and web attacks. |
ThreatTypes | JSON array | Risk and server tags from threat intelligence and security event analysis. See fields below. |
Basic | JSON object | Basic file information. See fields below. |
FileHash | String | File hash value (MD5). |
Sandbox | String | Dynamic sandbox analysis result. |
RequestId | String | Unique request ID generated by Alibaba Cloud. |
`ThreatTypes` fields:
| Field | Description |
|---|---|
threat_type_desc | Malware category. Values include: Rootkit, backdoor program, suspicious program, mining program, DDoS Trojan, malware, worm, suspicious hacking tool, Trojan program, contaminated base software, infectious virus, exploit program, ransomware, self-mutating Trojan, high-risk program, hacking tool. |
threat_type | Threat type. Values include: network-layer intrusions, network service scans, network share discoveries, Miner Pool, exploits, dark web activity, malicious logins, malicious download sources, C&C servers, web shells, web attacks. |
risk_type | Indicates whether the tag is malicious: 1 = malicious, 0 = non-malicious, -1 = unknown. |
last_find_time | Most recent discovery time. |
`Basic` fields:
| Field | Description |
|---|---|
md5 | File MD5 hash. |
sha1 | File SHA-1 hash. |
sha256 | File SHA-256 hash. |
sha512 | File SHA-512 hash. |
virus_result | Static scan result: 1 = malicious, 0 = normal, -1 = unknown. |
sandbox_result | Dynamic sandbox result: 1 = malicious, 0 = normal, -1 = unknown. |
source | File source. The only valid value is aegis, indicating detection by Security Center. |
Example output
{
"Intelligences": [
"DDoS Trojan"
],
"RequestId": "3F2BBCA2-4EE5-456F-****-DE0B69CAFD71",
"FileHash": "02e6b7cf0d34c6eac05*****751208b",
"ThreatTypes": [
{
"threat_type_desc": "DDoS Trojan",
"risk_type": 1,
"threat_type": "DDoS"
}
],
"Basic": {
"sha1": "",
"virus_result": "1",
"sandbox_result": "-1",
"sha256": "",
"sha512": "",
"virus_name": "Self-mutating Trojan",
"source": "aegis"
},
"ThreatLevel": "2",
"Sandbox": ""
}Domain type
Output parameters
| Parameter | Type | Description |
|---|---|---|
ThreatLevel | Number | Threat level: 3 = high risk, 2 = medium risk, 1 = low risk, 0 = normal (allowlist), -1 = unknown. |
Confidence | Number | Confidence in the result. Range: 60–100. |
ThreatTypes | JSON array | Detailed threat intelligence data for this domain. See fields below. |
Intelligences | JSON array | Threat intelligence event details. See fields below. |
AttackPreferenceTop5 | JSON array | Top five industries of websites attacked through this domain. Fields: event_cnt, industry_name, gmt_last_attack. |
AttackCntByThreatType | JSON object | Attack count grouped by MITRE ATT&CK stage. Fields: event_cnt, threat_type. |
Scenario | String | Attack scenario classification for this domain. See values below. |
Domain | String | Domain name. |
Basic | JSON object | Basic domain registration information. See fields below. |
SslCert | JSON object | SSL certificate information bound to the domain. |
Whois | JSON object | Whois registration information for the domain. |
RequestId | String | Unique request ID generated by Alibaba Cloud. |
`ThreatTypes` fields:
| Field | Description |
|---|---|
threat_type | Threat type. Common values: Botnet, Trojan, Worm, Malware, Ransomware, APT (advanced persistent threat), RAT (remote access trojan), C&C Server (command-and-control), Miner Pool, Malicious Source, Scheduled Task (Windows), BITS Jobs, Command-Line Interface, Mshta execution, Regsvr32, Signed Binary Proxy Execution, Local Job Scheduling (Linux), Rundll32 |
threat_type_desc | Tag description. |
first_find_time | Time the tag was first applied. |
last_find_time | Time the tag was last applied. |
risk_type | Threat severity: 3 = high risk, 2 = medium risk, 1 = low risk, 0 = non-malicious, -1 = unknown. |
scenario | Scenario classification: compromise indicator or attack indicator. |
attck_stage | Related MITRE ATT&CK stage. |
`Intelligences` fields:
| Field | Description |
|---|---|
source | Source of the threat intelligence data. |
first_find_time | Time the event was first discovered. |
last_find_time | Last active time. |
threat_type_l2 | Detailed threat tags, such as family/group tags (for example, Mykings, APT32) or attack methods (for example, BITS Jobs). |
threat_type | Primary threat category corresponding to the detailed tag. |
refer | Related references. |
`Basic` fields:
| Field | Description |
|---|---|
domain | Domain name. |
sld_domain | Second-level domain (SLD). |
reg_date | Domain registration date. |
expire_date | Domain expiration date. |
child_domain_cnt | Number of subdomains. |
malicious_child_domain_cnt | Number of malicious subdomains. |
ip_cnt | Number of IP addresses this domain resolved to in the past year. |
malicious_ip_cnt | Number of malicious IP addresses this domain resolved to in the past year. |
`Scenario` values:
| Value | Description |
|---|---|
| Attack indicator | Domains are typically not attack indicators. |
| Compromise indicator | Attackers use scripts or malware that communicate with this domain for command and data transfer. Detecting this domain in traffic or logs means the host is already compromised. This represents post-compromise C2 communication. |
| Information data | Includes allowlisted entries. This field contains informational data only and poses no risk. |
Example output
{
"Intelligences": [
{
"last_find_time": "2020-06-17 03:54:23",
"threat_type_l2": "Malicious download source",
"first_find_time": "2020-01-01 00:59:52",
"source": "aliyun"
},
{
"last_find_time": "2020-11-10 14:45:12",
"threat_type_l2": "rexxx.exe executing malicious file",
"first_find_time": "2017-09-22 11:15:00",
"source": "aliyun"
}
],
"Domain": "example.com",
"SslCert": {
"serial_number": "183954751680****4",
"validity_end": "2029-12-02 06:00:31",
"issuer": "example.ca"
},
"AttackPreferenceTop5": "[{\"event_cnt\":586,\"industry_name\":\"Gaming\",\"gmt_last_attack\":\"2020-06-14 21:54:04\"}]",
"ThreatTypes": [
{
"threat_type_desc": "Malicious download source",
"last_find_time": "2020-06-17 03:54:23",
"risk_type": 3,
"scenario": "Compromise indicator",
"threat_type": "Malicious Source",
"first_find_time": "2020-01-01 00:59:52",
"attck_stage": "delivery"
},
{
"threat_type_desc": "Regsvr32 execution",
"last_find_time": "2020-11-10 14:45:12",
"risk_type": 3,
"scenario": "Compromise indicator",
"threat_type": "Regsvr32",
"first_find_time": "2017-09-22 11:15:00",
"attck_stage": "defense evasion"
}
],
"Confidence": "95",
"ThreatLevel": "2",
"AttackCntByThreatType": {
"event_cnt": 27,
"threat_type": "Network Layer intrusion"
},
"Context": "",
"Whois": {
"registrant_phone": "",
"registrar": "XX Technology Co., Ltd.",
"registrar_url": "",
"whois_server": "whois.cnnic.cn",
"admin_phone": "",
"registrar_phone": "",
"registrant_email": "",
"admin_email": "",
"admin_organization": "",
"tech_name": "",
"registrant_city": "",
"tech_street": "",
"tech_phone": "",
"dnssec": "unsigned",
"admin_province": "",
"tech_organization": "",
"registrant_country": "",
"admin_city": "",
"registrant_province": "",
"admin_street": "",
"tech_email": "",
"nameservers": "ns4.myhostadmin.net,ns1.myhostadmin.net,ns2.myhostadmin.net,ns3.myhostadmin.net,ns5.myhostadmin.net,ns6.myhostadmin.net",
"registrar_email": "",
"domain_status": "ok",
"domain": "example.com",
"tech_city": "",
"registrant_name": "",
"registrant_organization": "",
"tech_country": "",
"registrant_street": "",
"admin_name": "",
"tech_province": "",
"admin_country": ""
},
"RequestId": "718747A4-9A75-4130-88F9-C9B47350B7F5",
"Scenario": "Compromise indicator",
"Basic": {
"ip_cnt": "36",
"domain": "example.com",
"child_domain_cnt": "18",
"sld_domain": "example.com",
"malicious_ip_cnt": "28",
"malicious_child_domain_cnt": "4"
},
"Group": ""
}Configuration example
Import the following JSON as a test playbook and use the visual flow editor to test the action parameters.
Save the example data as a JSON file before importing. For import instructions, see Playbook import.
The example configures a single describeInformation node with the following parameters:
{
"componentName": "ThreatIntelligence",
"actionName": "describeInformation",
"parameters": [
{
"name": "entityType",
"dataType": "String",
"required": true,
"description": "The type of intelligence. Valid values: ip, file, domain."
},
{
"name": "entityValue",
"dataType": "String",
"required": true,
"description": "The value to query. See the input parameters section for format details."
}
],
"valueData": {
"entityType": "ip",
"entityValue": "127.0.0.1"
}
}