Threatbook component-Security Center(Security Center)-阿里云帮助中心

The Threatbook component calls Threatbook APIs to retrieve file analysis reports and assess IP addresses and domain names for threats.

Prerequisites

Before using the ThreatBook component, navigate to System Settings > Feature Settings > Multi-cloud Configuration Management and authorize your off-cloud IDC assets in the Multi-cloud Assets module. If you have already done so, skip this step.

Click Add Authorization and select IDC. In the asset access panel, configure the following parameters:
Note
By default, Agentic SOC supports authorization only for ThreatBook.
Parameter
Description
Vendor
ThreatBook.
Product
Threat Intelligence Cloud API.
Account ID
Your ThreatBook account ID.
API key
Your ThreatBook API key.
Enable AK Service Status Check to prevent service disruptions from an invalid AccessKey.

Features

Actions	Description
fileReport	Retrieves detailed static analysis and dynamic analysis reports for a file. The reports include a file summary, network behavior, behavioral signatures, static information, dropped file behavior, process behavior, and antivirus scan engine detection results.
iocReport	Analyzes IP addresses or domain names associated with outbound traffic from an office or production network. It uses detection rules to determine if an IP address or domain name is malicious, as well as its risk severity and confidence levels. It also identifies threats such as C2 servers, malware, and miner pools, and provides related security events or threat actor tags.
ipReport	Analyzes IP addresses involved in inbound connections and provides their geographic location and ASN information. It uses detection rules to determine if an IP address is malicious, as well as its risk severity and confidence levels. It also identifies threat types, such as exploits and zombies, and provides related security events or threat actor tags.

Component configuration

This topic provides example parameter configurations for each action in the Threatbook component that you can import as test playbooks. The visual editor lets you intuitively understand and test the parameters for each action, which helps you master the component. For detailed instructions, see Import a playbook.

Note

Save the sample data as a JSON file.

Sample data

{
    "cells": [{
		"position": {
			"x": -400,
			"y": -155
		},
		"size": {
			"width": 36,
			"height": 36
		},
		"attrs": {
			"body": {
				"fill": "white",
				"strokeOpacity": 0.95,
				"stroke": "#63ba4d",
				"strokeWidth": 2
			},
			"label": {
				"text": "start",
				"fontSize": 12,
				"refX": 0.5,
				"refY": "100%",
				"refY2": 4,
				"textAnchor": "middle",
				"textVerticalAnchor": "top"
			},
			"path": {
				"stroke": "#63ba4d"
			}
		},
		"visible": true,
		"shape": "circle",
		"id": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4",
		"zIndex": 1,
		"data": {
			"nodeType": "startEvent",
			"appType": "basic",
			"nodeName": "start",
			"icon": "icon-circle",
			"description": "The start node of the playbook. A playbook must have exactly one start node. You must configure input data for the playbook.",
			"cascaderValue": []
		},
		"markup": [{
			"tagName": "circle",
			"selector": "body"
		}, {
			"tagName": "text",
			"selector": "label"
		}],
		"isNode": true
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#63ba4d",
				"targetMarker": {
					"stroke": "#63ba4d"
				}
			}
		},
		"zIndex": 1,
		"id": "5293c3f9-e1c9-4a49-b0eb-635067dc67e8",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic",
			"icon": "icon-upper-right-arrow",
			"isRequired": true
		},
		"isNode": false,
		"source": {
			"cell": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4"
		},
		"target": {
			"cell": "19fca1bc-4cf1-491e-9ae4-ee5d3f0c2f61"
		},
		"router": {
			"name": "normal"
		},
		"visible": true,
		"vertices": [{
			"x": -382,
			"y": -247
		}]
	}, {
		"position": {
			"x": 140,
			"y": -155
		},
		"size": {
			"width": 36,
			"height": 36
		},
		"attrs": {
			"body": {
				"fill": "white",
				"strokeOpacity": 0.95,
				"stroke": "#d93026",
				"strokeWidth": 2
			},
			"path": {
				"r": 12,
				"refX": "50%",
				"refY": "50%",
				"fill": "#d93026",
				"strokeOpacity": 0.95,
				"stroke": "#d93026",
				"strokeWidth": 4
			},
			"label": {
				"text": "end",
				"fontSize": 12,
				"refX": 0.5,
				"refY": "100%",
				"refY2": 4,
				"textAnchor": "middle",
				"textVerticalAnchor": "top"
			}
		},
		"visible": true,
		"shape": "circle",
		"id": "317dd1be-2d20-460e-977e-1fc936ffb583",
		"zIndex": 1,
		"data": {
			"nodeType": "endEvent",
			"appType": "basic",
			"nodeName": "end",
			"icon": "icon-radio-off-full",
			"description": "The end node of the playbook."
		},
		"markup": [{
			"tagName": "circle",
			"selector": "body"
		}, {
			"tagName": "circle",
			"selector": "path"
		}, {
			"tagName": "text",
			"selector": "label"
		}],
		"isNode": true
	}, {
		"position": {
			"x": -190,
			"y": -280
		},
		"size": {
			"width": 137,
			"height": 66
		},
		"view": "react-shape-view",
		"attrs": {
			"label": {
				"text": "File report"
			}
		},
		"shape": "activity",
		"id": "19fca1bc-4cf1-491e-9ae4-ee5d3f0c2f61",
		"zIndex": 1,
		"data": {
			"isDebug": false,
			"nodeType": "action",
			"appType": "component",
			"nodeName": "file_report",
			"valueData": {
				"userId": "",
				"resource": "${event.file}",
				"cloudUserId": "7f7cd2ebedc544f7bf9be74dab7fcca4"
			},
			"icon": "https://sophon-gen-cloud-zhangjiakou-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1755245577536_Threatbook_logo.svg?Expires=1755832376&OSSAccessKeyId=STS.NXwN8h********EJeH&Signature=p4KGzHhTrIZdiJxpACRpM7ROLE0%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5vCBYLchKtswKq%2BRVT21nkPbd5%2Bqo%2FOqjz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb42MeBDXg08%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8VtbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2B4xU3%2BP9tP0rM946UoJvc3YDI5hWbc8mJsTnhSSTAEIv%2By8ptqoFOtH7DkLTHWR7hCtv23053AashMytAXxqAAXNQ89LjX6M4bFYRAxsXrln0LN%2BTDs1Hk1dCGQ2edPqhVybm1axt7NpKWS7Xcrd6BKtuwqREs%2FZkIO8E%2BZRbfaX6uHOx9sHx1M1Y7HDHt%2BDvloHULH0rQNLniKayaTCJlIiyUPe8TaK3lv4mipQQf16PqYqAsx2Zu7Bqx9Np2CYIIAA%3D",
			"description": "Gets detailed static and dynamic analysis reports for a file. The reports include a summary, network behavior, behavioral signatures, static information, dropped file behavior, process behavior, and antivirus scan engine results.",
			"advance": {
				"inputParamMode": false,
				"onError": "stop_cur_flow",
				"rspStatusType": 3,
				"rspStatusThreshold": 0
			},
			"componentName": "Threatbook",
			"actionName": "fileReport",
			"cascaderValue": [{
				"label": "configuration",
				"value": "${configuration}",
				"children": [{
					"label": "configuration.datalist.*.triggerType",
					"name": "configuration.datalist.*.triggerType",
					"value": "${configuration.datalist.*.triggerType}"
				}, {
					"label": "configuration.datalist.*._req_uuid",
					"name": "configuration.datalist.*._req_uuid",
					"value": "${configuration.datalist.*._req_uuid}"
				}, {
					"label": "configuration.datalist.*.scope.*.aliUid",
					"name": "configuration.datalist.*.scope.*.aliUid",
					"value": "${configuration.datalist.*.scope.*.aliUid}"
				}, {
					"label": "configuration.datalist.*.process.start_time",
					"name": "configuration.datalist.*.process.start_time",
					"value": "${configuration.datalist.*.process.start_time}"
				}, {
					"label": "configuration.status",
					"name": "configuration.status",
					"value": "${configuration.status}"
				}, {
					"label": "configuration.datalist.*.process.proc_id",
					"name": "configuration.datalist.*.process.proc_id",
					"value": "${configuration.datalist.*.process.proc_id}"
				}, {
					"label": "configuration.datalist.*._tenant_id",
					"name": "configuration.datalist.*._tenant_id",
					"value": "${configuration.datalist.*._tenant_id}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.host_uuid",
					"name": "configuration.datalist.*.process.host_uuid.host_uuid",
					"value": "${configuration.datalist.*.process.host_uuid.host_uuid}"
				}, {
					"label": "configuration.total_data",
					"name": "configuration.total_data",
					"value": "${configuration.total_data}"
				}, {
					"label": "configuration.datalist.*._trigger_user",
					"name": "configuration.datalist.*._trigger_user",
					"value": "${configuration.datalist.*._trigger_user}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.os_type",
					"name": "configuration.datalist.*.process.host_uuid.os_type",
					"value": "${configuration.datalist.*.process.host_uuid.os_type}"
				}, {
					"label": "configuration.datalist.*.process.cmd_line",
					"name": "configuration.datalist.*.process.cmd_line",
					"value": "${configuration.datalist.*.process.cmd_line}"
				}, {
					"label": "configuration.datalist.*.triggerUser",
					"name": "configuration.datalist.*.triggerUser",
					"value": "${configuration.datalist.*.triggerUser}"
				}, {
					"label": "configuration.datalist.*._domain_id",
					"name": "configuration.datalist.*._domain_id",
					"value": "${configuration.datalist.*._domain_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.file_path",
					"name": "configuration.datalist.*.process.file_path.file_path",
					"value": "${configuration.datalist.*.process.file_path.file_path}"
				}, {
					"label": "configuration.total_data_with_dup",
					"name": "configuration.total_data_with_dup",
					"value": "${configuration.total_data_with_dup}"
				}, {
					"label": "configuration.total_exe_successful",
					"name": "configuration.total_exe_successful",
					"value": "${configuration.total_exe_successful}"
				}, {
					"label": "configuration.datalist.*.scope.*.cloudCode",
					"name": "configuration.datalist.*.scope.*.cloudCode",
					"value": "${configuration.datalist.*.scope.*.cloudCode}"
				}, {
					"label": "configuration.total_data_successful",
					"name": "configuration.total_data_successful",
					"value": "${configuration.total_data_successful}"
				}, {
					"label": "configuration.total_exe",
					"name": "configuration.total_exe",
					"value": "${configuration.total_exe}"
				}, {
					"label": "configuration.datalist.*.scope.*.userId",
					"name": "configuration.datalist.*.scope.*.userId",
					"value": "${configuration.datalist.*.scope.*.userId}"
				}, {
					"label": "configuration.datalist.*._region_id",
					"name": "configuration.datalist.*._region_id",
					"value": "${configuration.datalist.*._region_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.hash_value",
					"name": "configuration.datalist.*.process.file_path.hash_value",
					"value": "${configuration.datalist.*.process.file_path.hash_value}"
				}]
			}],
			"status": "success"
		},
		"isNode": true
	}, {
		"position": {
			"x": -190,
			"y": -170
		},
		"size": {
			"width": 137,
			"height": 66
		},
		"view": "react-shape-view",
		"attrs": {
			"label": {
				"text": "IOC report"
			}
		},
		"shape": "activity",
		"id": "e0082b2e-d82c-464f-a22f-9b67eb47a363",
		"zIndex": 1,
		"data": {
			"isDebug": false,
			"nodeType": "action",
			"appType": "component",
			"nodeName": "ioc_report",
			"valueData": {
				"cloudUserId": "7f7cd2ebedc544f7bf9be74dab7fcca4",
				"resource": "${event.ioc}"
			},
			"icon": "https://sophon-gen-cloud-zhangjiakou-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1755245577536_Threatbook_logo.svg?Expires=1755832376&OSSAccessKeyId=STS.NXwN8h********EJeH&Signature=p4KGzHhTrIZdiJxpACRpM7ROLE0%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5vCBYLchKtswKq%2BRVT21nkPbd5%2Bqo%2FOqjz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb42MeBDXg08%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8VtbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2B4xU3%2BP9tP0rM946UoJvc3YDI5hWbc8mJsTnhSSTAEIv%2By8ptqoFOtH7DkLTHWR7hCtv23053AashMytAXxqAAXNQ89LjX6M4bFYRAxsXrln0LN%2BTDs1Hk1dCGQ2edPqhVybm1axt7NpKWS7Xcrd6BKtuwqREs%2FZkIO8E%2BZRbfaX6uHOx9sHx1M1Y7HDHt%2BDvloHULH0rQNLniKayaTCJlIiyUPe8TaK3lv4mipQQf16PqYqAsx2Zu7Bqx9Np2CYIIAA%3D",
			"description": "Analyzes IP addresses or domain names for outbound access scenarios, such as office or production networks. It determines if an IP address or domain name is malicious, and assesses its risk severity level and confidence level. It also identifies threats such as C2, malware, and miner pools, and provides tags for related security events and threat actors.",
			"advance": {
				"inputParamMode": false,
				"onError": "stop_cur_flow",
				"rspStatusType": 3,
				"rspStatusThreshold": 0
			},
			"componentName": "Threatbook",
			"actionName": "iocReport",
			"status": "failed",
			"cascaderValue": [{
				"label": "Threatbook_1",
				"value": "${Threatbook_1}",
				"children": [{
					"label": "Threatbook_1.datalist.*.network.tls_ex",
					"name": "Threatbook_1.datalist.*.network.tls_ex",
					"value": "${Threatbook_1.datalist.*.network.tls_ex}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_size",
					"name": "Threatbook_1.datalist.*.summary.file_size",
					"value": "${Threatbook_1.datalist.*.summary.file_size}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sandbox_type_list",
					"name": "Threatbook_1.datalist.*.summary.sandbox_type_list",
					"value": "${Threatbook_1.datalist.*.summary.sandbox_type_list}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.process_name",
					"name": "Threatbook_1.datalist.*.pstree.children.*.process_name",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.process_name}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.md5",
					"name": "Threatbook_1.datalist.*.summary.md5",
					"value": "${Threatbook_1.datalist.*.summary.md5}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.vbwebshell",
					"name": "Threatbook_1.datalist.*.multiengines.result.vbwebshell",
					"value": "${Threatbook_1.datalist.*.multiengines.result.vbwebshell}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Microsoft",
					"name": "Threatbook_1.datalist.*.multiengines.result.Microsoft",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Microsoft}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.category",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.category",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.category}"
				}, {
					"label": "Threatbook_1.total_exe",
					"name": "Threatbook_1.total_exe",
					"value": "${Threatbook_1.total_exe}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sample_sha256",
					"name": "Threatbook_1.datalist.*.summary.sample_sha256",
					"value": "${Threatbook_1.datalist.*.summary.sample_sha256}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.malware_family",
					"name": "Threatbook_1.datalist.*.summary.malware_family",
					"value": "${Threatbook_1.datalist.*.summary.malware_family}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Baidu",
					"name": "Threatbook_1.datalist.*.multiengines.result.Baidu",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Baidu}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.md5",
					"name": "Threatbook_1.datalist.*.static.basic.md5",
					"value": "${Threatbook_1.datalist.*.static.basic.md5}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.tag.s",
					"name": "Threatbook_1.datalist.*.summary.tag.s",
					"value": "${Threatbook_1.datalist.*.summary.tag.s}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneStatic",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneStatic",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneStatic}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.DrWeb",
					"name": "Threatbook_1.datalist.*.multiengines.result.DrWeb",
					"value": "${Threatbook_1.datalist.*.multiengines.result.DrWeb}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.tag.x",
					"name": "Threatbook_1.datalist.*.summary.tag.x",
					"value": "${Threatbook_1.datalist.*.summary.tag.x}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_name",
					"name": "Threatbook_1.datalist.*.summary.file_name",
					"value": "${Threatbook_1.datalist.*.summary.file_name}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.api",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.api",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.api}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.status",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.status",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.status}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.markcount",
					"name": "Threatbook_1.datalist.*.signature.*.markcount",
					"value": "${Threatbook_1.datalist.*.signature.*.markcount}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.threat_score",
					"name": "Threatbook_1.datalist.*.summary.threat_score",
					"value": "${Threatbook_1.datalist.*.summary.threat_score}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.NANO",
					"name": "Threatbook_1.datalist.*.multiengines.result.NANO",
					"value": "${Threatbook_1.datalist.*.multiengines.result.NANO}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Panda",
					"name": "Threatbook_1.datalist.*.multiengines.result.Panda",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Panda}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_type",
					"name": "Threatbook_1.datalist.*.static.basic.file_type",
					"value": "${Threatbook_1.datalist.*.static.basic.file_type}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sha1",
					"name": "Threatbook_1.datalist.*.summary.sha1",
					"value": "${Threatbook_1.datalist.*.summary.sha1}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Kaspersky",
					"name": "Threatbook_1.datalist.*.multiengines.result.Kaspersky",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Kaspersky}"
				}, {
					"label": "Threatbook_1.total_exe_successful",
					"name": "Threatbook_1.total_exe_successful",
					"value": "${Threatbook_1.total_exe_successful}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.threat_level",
					"name": "Threatbook_1.datalist.*.summary.threat_level",
					"value": "${Threatbook_1.datalist.*.summary.threat_level}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.process_name.en",
					"name": "Threatbook_1.datalist.*.pstree.process_name.en",
					"value": "${Threatbook_1.datalist.*.pstree.process_name.en}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Trustlook",
					"name": "Threatbook_1.datalist.*.multiengines.result.Trustlook",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Trustlook}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.malware_type",
					"name": "Threatbook_1.datalist.*.summary.malware_type",
					"value": "${Threatbook_1.datalist.*.summary.malware_type}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.sha256",
					"name": "Threatbook_1.datalist.*.static.basic.sha256",
					"value": "${Threatbook_1.datalist.*.static.basic.sha256}"
				}, {
					"label": "Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
					"name": "Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
					"value": "${Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.cid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.cid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.cid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Avast",
					"name": "Threatbook_1.datalist.*.multiengines.result.Avast",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Avast}"
				}, {
					"label": "Threatbook_1.total_data_successful",
					"name": "Threatbook_1.total_data_successful",
					"value": "${Threatbook_1.total_data_successful}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.sig_class",
					"name": "Threatbook_1.datalist.*.signature.*.sig_class",
					"value": "${Threatbook_1.datalist.*.signature.*.sig_class}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Baidu-China",
					"name": "Threatbook_1.datalist.*.multiengines.result.Baidu-China",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Baidu-China}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.command_line",
					"name": "Threatbook_1.datalist.*.pstree.children.*.command_line",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.command_line}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Rising",
					"name": "Threatbook_1.datalist.*.multiengines.result.Rising",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Rising}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.attck_id",
					"name": "Threatbook_1.datalist.*.signature.*.attck_id",
					"value": "${Threatbook_1.datalist.*.signature.*.attck_id}"
				}, {
					"label": "Threatbook_1.total_data",
					"name": "Threatbook_1.total_data",
					"value": "${Threatbook_1.total_data}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sandbox_type",
					"name": "Threatbook_1.datalist.*.summary.sandbox_type",
					"value": "${Threatbook_1.datalist.*.summary.sandbox_type}"
				}, {
					"label": "Threatbook_1.total_data_with_dup",
					"name": "Threatbook_1.total_data_with_dup",
					"value": "${Threatbook_1.total_data_with_dup}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ShellPub",
					"name": "Threatbook_1.datalist.*.multiengines.result.ShellPub",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ShellPub}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.MicroAPT",
					"name": "Threatbook_1.datalist.*.multiengines.result.MicroAPT",
					"value": "${Threatbook_1.datalist.*.multiengines.result.MicroAPT}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.multi_engines",
					"name": "Threatbook_1.datalist.*.summary.multi_engines",
					"value": "${Threatbook_1.datalist.*.summary.multi_engines}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ClamAV",
					"name": "Threatbook_1.datalist.*.multiengines.result.ClamAV",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ClamAV}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_type",
					"name": "Threatbook_1.datalist.*.summary.file_type",
					"value": "${Threatbook_1.datalist.*.summary.file_type}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ESET",
					"name": "Threatbook_1.datalist.*.multiengines.result.ESET",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ESET}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.K7",
					"name": "Threatbook_1.datalist.*.multiengines.result.K7",
					"value": "${Threatbook_1.datalist.*.multiengines.result.K7}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.detect_rate",
					"name": "Threatbook_1.datalist.*.multiengines.detect_rate",
					"value": "${Threatbook_1.datalist.*.multiengines.detect_rate}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneAV",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneAV",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneAV}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.name",
					"name": "Threatbook_1.datalist.*.signature.*.name",
					"value": "${Threatbook_1.datalist.*.signature.*.name}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.tid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.tid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.tid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.scan_time",
					"name": "Threatbook_1.datalist.*.multiengines.scan_time",
					"value": "${Threatbook_1.datalist.*.multiengines.scan_time}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.is_whitelist",
					"name": "Threatbook_1.datalist.*.summary.is_whitelist",
					"value": "${Threatbook_1.datalist.*.summary.is_whitelist}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Qihu360",
					"name": "Threatbook_1.datalist.*.multiengines.result.Qihu360",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Qihu360}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Sophos",
					"name": "Threatbook_1.datalist.*.multiengines.result.Sophos",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Sophos}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Antiy",
					"name": "Threatbook_1.datalist.*.multiengines.result.Antiy",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Antiy}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.GDATA",
					"name": "Threatbook_1.datalist.*.multiengines.result.GDATA",
					"value": "${Threatbook_1.datalist.*.multiengines.result.GDATA}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.time",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.time",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.time}"
				}, {
					"label": "Threatbook_1.status",
					"name": "Threatbook_1.status",
					"value": "${Threatbook_1.status}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.JiangMin",
					"name": "Threatbook_1.datalist.*.multiengines.result.JiangMin",
					"value": "${Threatbook_1.datalist.*.multiengines.result.JiangMin}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.return_value",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.return_value",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.return_value}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.AVG",
					"name": "Threatbook_1.datalist.*.multiengines.result.AVG",
					"value": "${Threatbook_1.datalist.*.multiengines.result.AVG}"
				}, {
					"label": "Threatbook_1.datalist.*.network.dns_servers",
					"name": "Threatbook_1.datalist.*.network.dns_servers",
					"value": "${Threatbook_1.datalist.*.network.dns_servers}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.description",
					"name": "Threatbook_1.datalist.*.signature.*.description",
					"value": "${Threatbook_1.datalist.*.signature.*.description}"
				}, {
					"label": "Threatbook_1.datalist.*.strings.pcap",
					"name": "Threatbook_1.datalist.*.strings.pcap",
					"value": "${Threatbook_1.datalist.*.strings.pcap}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.pid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.pid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.pid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.IKARUS",
					"name": "Threatbook_1.datalist.*.multiengines.result.IKARUS",
					"value": "${Threatbook_1.datalist.*.multiengines.result.IKARUS}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.first_seen",
					"name": "Threatbook_1.datalist.*.pstree.children.*.first_seen",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.first_seen}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.type",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.type",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.type}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Avira",
					"name": "Threatbook_1.datalist.*.multiengines.result.Avira",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Avira}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.ppid",
					"name": "Threatbook_1.datalist.*.pstree.children.*.ppid",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.ppid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.MicroNonPE",
					"name": "Threatbook_1.datalist.*.multiengines.result.MicroNonPE",
					"value": "${Threatbook_1.datalist.*.multiengines.result.MicroNonPE}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.ssdeep",
					"name": "Threatbook_1.datalist.*.static.basic.ssdeep",
					"value": "${Threatbook_1.datalist.*.static.basic.ssdeep}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_size",
					"name": "Threatbook_1.datalist.*.static.basic.file_size",
					"value": "${Threatbook_1.datalist.*.static.basic.file_size}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.process_name.cn",
					"name": "Threatbook_1.datalist.*.pstree.process_name.cn",
					"value": "${Threatbook_1.datalist.*.pstree.process_name.cn}"
				}, {
					"label": "Threatbook_1.datalist.*.network.secret_info",
					"name": "Threatbook_1.datalist.*.network.secret_info",
					"value": "${Threatbook_1.datalist.*.network.secret_info}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.sha1",
					"name": "Threatbook_1.datalist.*.static.basic.sha1",
					"value": "${Threatbook_1.datalist.*.static.basic.sha1}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.track",
					"name": "Threatbook_1.datalist.*.pstree.children.*.track",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.track}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.submit_time",
					"name": "Threatbook_1.datalist.*.summary.submit_time",
					"value": "${Threatbook_1.datalist.*.summary.submit_time}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.severity",
					"name": "Threatbook_1.datalist.*.signature.*.severity",
					"value": "${Threatbook_1.datalist.*.signature.*.severity}"
				}, {
					"label": "Threatbook_1.datalist.*.permalink",
					"name": "Threatbook_1.datalist.*.permalink",
					"value": "${Threatbook_1.datalist.*.permalink}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.pid",
					"name": "Threatbook_1.datalist.*.pstree.children.*.pid",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.pid}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_name",
					"name": "Threatbook_1.datalist.*.static.basic.file_name",
					"value": "${Threatbook_1.datalist.*.static.basic.file_name}"
				}]
			}, {
				"label": "configuration",
				"value": "${configuration}",
				"children": [{
					"label": "configuration.datalist.*.triggerType",
					"name": "configuration.datalist.*.triggerType",
					"value": "${configuration.datalist.*.triggerType}"
				}, {
					"label": "configuration.datalist.*._req_uuid",
					"name": "configuration.datalist.*._req_uuid",
					"value": "${configuration.datalist.*._req_uuid}"
				}, {
					"label": "configuration.datalist.*.scope.*.aliUid",
					"name": "configuration.datalist.*.scope.*.aliUid",
					"value": "${configuration.datalist.*.scope.*.aliUid}"
				}, {
					"label": "configuration.datalist.*.process.start_time",
					"name": "configuration.datalist.*.process.start_time",
					"value": "${configuration.datalist.*.process.start_time}"
				}, {
					"label": "configuration.status",
					"name": "configuration.status",
					"value": "${configuration.status}"
				}, {
					"label": "configuration.datalist.*.process.proc_id",
					"name": "configuration.datalist.*.process.proc_id",
					"value": "${configuration.datalist.*.process.proc_id}"
				}, {
					"label": "configuration.datalist.*._tenant_id",
					"name": "configuration.datalist.*._tenant_id",
					"value": "${configuration.datalist.*._tenant_id}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.host_uuid",
					"name": "configuration.datalist.*.process.host_uuid.host_uuid",
					"value": "${configuration.datalist.*.process.host_uuid.host_uuid}"
				}, {
					"label": "configuration.total_data",
					"name": "configuration.total_data",
					"value": "${configuration.total_data}"
				}, {
					"label": "configuration.datalist.*._trigger_user",
					"name": "configuration.datalist.*._trigger_user",
					"value": "${configuration.datalist.*._trigger_user}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.os_type",
					"name": "configuration.datalist.*.process.host_uuid.os_type",
					"value": "${configuration.datalist.*.process.host_uuid.os_type}"
				}, {
					"label": "configuration.datalist.*.process.cmd_line",
					"name": "configuration.datalist.*.process.cmd_line",
					"value": "${configuration.datalist.*.process.cmd_line}"
				}, {
					"label": "configuration.datalist.*.triggerUser",
					"name": "configuration.datalist.*.triggerUser",
					"value": "${configuration.datalist.*.triggerUser}"
				}, {
					"label": "configuration.datalist.*._domain_id",
					"name": "configuration.datalist.*._domain_id",
					"value": "${configuration.datalist.*._domain_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.file_path",
					"name": "configuration.datalist.*.process.file_path.file_path",
					"value": "${configuration.datalist.*.process.file_path.file_path}"
				}, {
					"label": "configuration.total_data_with_dup",
					"name": "configuration.total_data_with_dup",
					"value": "${configuration.total_data_with_dup}"
				}, {
					"label": "configuration.total_exe_successful",
					"name": "configuration.total_exe_successful",
					"value": "${configuration.total_exe_successful}"
				}, {
					"label": "configuration.datalist.*.scope.*.cloudCode",
					"name": "configuration.datalist.*.scope.*.cloudCode",
					"value": "${configuration.datalist.*.scope.*.cloudCode}"
				}, {
					"label": "configuration.total_data_successful",
					"name": "configuration.total_data_successful",
					"value": "${configuration.total_data_successful}"
				}, {
					"label": "configuration.total_exe",
					"name": "configuration.total_exe",
					"value": "${configuration.total_exe}"
				}, {
					"label": "configuration.datalist.*.scope.*.userId",
					"name": "configuration.datalist.*.scope.*.userId",
					"value": "${configuration.datalist.*.scope.*.userId}"
				}, {
					"label": "configuration.datalist.*._region_id",
					"name": "configuration.datalist.*._region_id",
					"value": "${configuration.datalist.*._region_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.hash_value",
					"name": "configuration.datalist.*.process.file_path.hash_value",
					"value": "${configuration.datalist.*.process.file_path.hash_value}"
				}]
			}],
			"customInput": false,
			"id": 0,
			"name": "iocReport",
			"operateType": "general",
			"parameters": [{
				"dataType": "String",
				"defaultValue": "",
				"description": "",
				"enDescription": "",
				"name": "userId",
				"needCascader": false,
				"required": false,
				"tags": ""
			}, {
				"dataType": "String",
				"defaultValue": "",
				"description": "The account ID configured for Threatbook in Security Center > Feature Settings > Multicloud Configuration Management.",
				"enDescription": "",
				"name": "cloudUserId",
				"needCascader": false,
				"required": true,
				"tags": ""
			}, {
				"dataType": "String",
				"defaultValue": "",
				"description": "One or more IP addresses or domain names to query, separated by commas. You can specify up to 100 resources per request. Including a port with an IP address can provide higher-confidence results. Example of IP addresses with ports: 8.8.8.8:143,0.0.0.0:80",
				"enDescription": "",
				"name": "resource",
				"needCascader": false,
				"required": true,
				"tags": ""
			}],
			"riskLevel": 2,
			"actionDisplayName": "iocReport"
		},
		"isNode": true
	}, {
		"position": {
			"x": -190,
			"y": -55
		},
		"size": {
			"width": 137,
			"height": 66
		},
		"view": "react-shape-view",
		"attrs": {
			"label": {
				"text": "IP reputation"
			}
		},
		"shape": "activity",
		"id": "8afdafcc-32aa-4ab2-b8b2-abafc4314e85",
		"zIndex": 1,
		"data": {
			"nodeType": "action",
			"appType": "component",
			"nodeName": "ip_reputation",
			"valueData": {
				"cloudUserId": "7f7cd2ebedc544f7bf9be74dab7fcca4",
				"resource": "${event.ip}"
			},
			"icon": "https://sophon-gen-cloud-zhangjiakou-v2.oss-cn-zhangjiakou.aliyuncs.com/componentUpload/1755245577536_Threatbook_logo.svg?Expires=1755832376&OSSAccessKeyId=STS.NXwN8h********EJeH&Signature=p4KGzHhTrIZdiJxpACRpM7ROLE0%3D&security-token=CAIS2AJ1q6Ft5B2yfSjIr5vCBYLchKtswKq%2BRVT21nkPbd5%2Bqo%2FOqjz2IHhMenFpAegcv%2Fw%2BlGFZ6%2F8elrp6SJtIXleCZtF94oxN9h2gb4fb42MeBDXg08%2FLI3OaLjKm9u2wCryLYbGwU%2FOpbE%2B%2B5U0X6LDmdDKkckW4OJmS8%2FBOZcgWWQ%2FKBlgvRq0hRG1YpdQdKGHaONu0LxfumRCwNkdzvRdmgm4NgsbWgO%2Fks0OP3AOrlrBN%2Bdiuf8T9NvMBZskvD42Hu8VtbbfE3SJq7BxHybx7lqQs%2B02c5onDWwAJu0%2FXa7uEo4wydVNjFbM9A65Dqufxn%2Fpgt%2Braj4X7xhhEIOVJSSPbSZBbSxJNvU1RXDxQVcEYWxylurjnXvF%2B4xU3%2BP9tP0rM946UoJvc3YDI5hWbc8mJsTnhSSTAEIv%2By8ptqoFOtH7DkLTHWR7hCtv23053AashMytAXxqAAXNQ89LjX6M4bFYRAxsXrln0LN%2BTDs1Hk1dCGQ2edPqhVybm1axt7NpKWS7Xcrd6BKtuwqREs%2FZkIO8E%2BZRbfaX6uHOx9sHx1M1Y7HDHt%2BDvloHULH0rQNLniKayaTCJlIiyUPe8TaK3lv4mipQQf16PqYqAsx2Zu7Bqx9Np2CYIIAA%3D",
			"description": "Analyzes IP addresses for inbound scenarios, providing their geographic location and ASN information. It determines if the IP address is malicious, and assesses its risk severity level and confidence level. It also identifies threat types, such as exploits and zombies, and provides tags for related security events and threat actors.",
			"advance": {
				"inputParamMode": false,
				"onError": "stop_cur_flow",
				"rspStatusType": 3,
				"rspStatusThreshold": 0
			},
			"componentName": "Threatbook",
			"actionName": "ipReputation",
			"status": "failed",
			"cascaderValue": [{
				"label": "Threatbook_2",
				"value": "${Threatbook_2}",
				"children": [{
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.severity",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.severity",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.severity}"
				}, {
					"label": "Threatbook_2.total_exe",
					"name": "Threatbook_2.total_exe",
					"value": "${Threatbook_2.total_exe}"
				}, {
					"label": "Threatbook_2.total_data_successful",
					"name": "Threatbook_2.total_data_successful",
					"value": "${Threatbook_2.total_data_successful}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.judgments",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.judgments",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.judgments}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags_type",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags_type",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags_type}"
				}, {
					"label": "Threatbook_2.total_exe_successful",
					"name": "Threatbook_2.total_exe_successful",
					"value": "${Threatbook_2.total_exe_successful}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.tags_classes.*.tags}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.permalink",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.permalink",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.permalink}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.categories.second_cats",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.categories.second_cats",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.categories.second_cats}"
				}, {
					"label": "Threatbook_2.total_data",
					"name": "Threatbook_2.total_data",
					"value": "${Threatbook_2.total_data}"
				}, {
					"label": "Threatbook_2.total_data_with_dup",
					"name": "Threatbook_2.total_data_with_dup",
					"value": "${Threatbook_2.total_data_with_dup}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.umbrella_rank.global_rank",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.umbrella_rank.global_rank",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.umbrella_rank.global_rank}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.is_malicious",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.is_malicious",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.is_malicious}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.confidence_level",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.confidence_level",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.confidence_level}"
				}, {
					"label": "Threatbook_2.status",
					"name": "Threatbook_2.status",
					"value": "${Threatbook_2.status}"
				}, {
					"label": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.alexa_rank.global_rank",
					"name": "Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.alexa_rank.global_rank",
					"value": "${Threatbook_2.datalist.*.domains.counterstrike2-cheats.com.rank.alexa_rank.global_rank}"
				}]
			}, {
				"label": "Threatbook_1",
				"value": "${Threatbook_1}",
				"children": [{
					"label": "Threatbook_1.datalist.*.network.tls_ex",
					"name": "Threatbook_1.datalist.*.network.tls_ex",
					"value": "${Threatbook_1.datalist.*.network.tls_ex}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_size",
					"name": "Threatbook_1.datalist.*.summary.file_size",
					"value": "${Threatbook_1.datalist.*.summary.file_size}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sandbox_type_list",
					"name": "Threatbook_1.datalist.*.summary.sandbox_type_list",
					"value": "${Threatbook_1.datalist.*.summary.sandbox_type_list}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.process_name",
					"name": "Threatbook_1.datalist.*.pstree.children.*.process_name",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.process_name}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.md5",
					"name": "Threatbook_1.datalist.*.summary.md5",
					"value": "${Threatbook_1.datalist.*.summary.md5}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.vbwebshell",
					"name": "Threatbook_1.datalist.*.multiengines.result.vbwebshell",
					"value": "${Threatbook_1.datalist.*.multiengines.result.vbwebshell}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Microsoft",
					"name": "Threatbook_1.datalist.*.multiengines.result.Microsoft",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Microsoft}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.category",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.category",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.category}"
				}, {
					"label": "Threatbook_1.total_exe",
					"name": "Threatbook_1.total_exe",
					"value": "${Threatbook_1.total_exe}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sample_sha256",
					"name": "Threatbook_1.datalist.*.summary.sample_sha256",
					"value": "${Threatbook_1.datalist.*.summary.sample_sha256}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.malware_family",
					"name": "Threatbook_1.datalist.*.summary.malware_family",
					"value": "${Threatbook_1.datalist.*.summary.malware_family}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Baidu",
					"name": "Threatbook_1.datalist.*.multiengines.result.Baidu",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Baidu}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.md5",
					"name": "Threatbook_1.datalist.*.static.basic.md5",
					"value": "${Threatbook_1.datalist.*.static.basic.md5}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.tag.s",
					"name": "Threatbook_1.datalist.*.summary.tag.s",
					"value": "${Threatbook_1.datalist.*.summary.tag.s}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneStatic",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneStatic",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneStatic}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.DrWeb",
					"name": "Threatbook_1.datalist.*.multiengines.result.DrWeb",
					"value": "${Threatbook_1.datalist.*.multiengines.result.DrWeb}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.tag.x",
					"name": "Threatbook_1.datalist.*.summary.tag.x",
					"value": "${Threatbook_1.datalist.*.summary.tag.x}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_name",
					"name": "Threatbook_1.datalist.*.summary.file_name",
					"value": "${Threatbook_1.datalist.*.summary.file_name}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.api",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.api",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.api}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.status",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.status",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.status}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.markcount",
					"name": "Threatbook_1.datalist.*.signature.*.markcount",
					"value": "${Threatbook_1.datalist.*.signature.*.markcount}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.threat_score",
					"name": "Threatbook_1.datalist.*.summary.threat_score",
					"value": "${Threatbook_1.datalist.*.summary.threat_score}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.NANO",
					"name": "Threatbook_1.datalist.*.multiengines.result.NANO",
					"value": "${Threatbook_1.datalist.*.multiengines.result.NANO}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Panda",
					"name": "Threatbook_1.datalist.*.multiengines.result.Panda",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Panda}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_type",
					"name": "Threatbook_1.datalist.*.static.basic.file_type",
					"value": "${Threatbook_1.datalist.*.static.basic.file_type}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sha1",
					"name": "Threatbook_1.datalist.*.summary.sha1",
					"value": "${Threatbook_1.datalist.*.summary.sha1}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Kaspersky",
					"name": "Threatbook_1.datalist.*.multiengines.result.Kaspersky",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Kaspersky}"
				}, {
					"label": "Threatbook_1.total_exe_successful",
					"name": "Threatbook_1.total_exe_successful",
					"value": "${Threatbook_1.total_exe_successful}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.threat_level",
					"name": "Threatbook_1.datalist.*.summary.threat_level",
					"value": "${Threatbook_1.datalist.*.summary.threat_level}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.process_name.en",
					"name": "Threatbook_1.datalist.*.pstree.process_name.en",
					"value": "${Threatbook_1.datalist.*.pstree.process_name.en}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Trustlook",
					"name": "Threatbook_1.datalist.*.multiengines.result.Trustlook",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Trustlook}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.malware_type",
					"name": "Threatbook_1.datalist.*.summary.malware_type",
					"value": "${Threatbook_1.datalist.*.summary.malware_type}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.sha256",
					"name": "Threatbook_1.datalist.*.static.basic.sha256",
					"value": "${Threatbook_1.datalist.*.static.basic.sha256}"
				}, {
					"label": "Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
					"name": "Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f",
					"value": "${Threatbook_1.datalist.*.strings.275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.cid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.cid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.cid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Avast",
					"name": "Threatbook_1.datalist.*.multiengines.result.Avast",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Avast}"
				}, {
					"label": "Threatbook_1.total_data_successful",
					"name": "Threatbook_1.total_data_successful",
					"value": "${Threatbook_1.total_data_successful}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.sig_class",
					"name": "Threatbook_1.datalist.*.signature.*.sig_class",
					"value": "${Threatbook_1.datalist.*.signature.*.sig_class}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Baidu-China",
					"name": "Threatbook_1.datalist.*.multiengines.result.Baidu-China",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Baidu-China}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.command_line",
					"name": "Threatbook_1.datalist.*.pstree.children.*.command_line",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.command_line}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Rising",
					"name": "Threatbook_1.datalist.*.multiengines.result.Rising",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Rising}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.attck_id",
					"name": "Threatbook_1.datalist.*.signature.*.attck_id",
					"value": "${Threatbook_1.datalist.*.signature.*.attck_id}"
				}, {
					"label": "Threatbook_1.total_data",
					"name": "Threatbook_1.total_data",
					"value": "${Threatbook_1.total_data}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.sandbox_type",
					"name": "Threatbook_1.datalist.*.summary.sandbox_type",
					"value": "${Threatbook_1.datalist.*.summary.sandbox_type}"
				}, {
					"label": "Threatbook_1.total_data_with_dup",
					"name": "Threatbook_1.total_data_with_dup",
					"value": "${Threatbook_1.total_data_with_dup}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ShellPub",
					"name": "Threatbook_1.datalist.*.multiengines.result.ShellPub",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ShellPub}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.MicroAPT",
					"name": "Threatbook_1.datalist.*.multiengines.result.MicroAPT",
					"value": "${Threatbook_1.datalist.*.multiengines.result.MicroAPT}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.multi_engines",
					"name": "Threatbook_1.datalist.*.summary.multi_engines",
					"value": "${Threatbook_1.datalist.*.summary.multi_engines}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ClamAV",
					"name": "Threatbook_1.datalist.*.multiengines.result.ClamAV",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ClamAV}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.file_type",
					"name": "Threatbook_1.datalist.*.summary.file_type",
					"value": "${Threatbook_1.datalist.*.summary.file_type}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.ESET",
					"name": "Threatbook_1.datalist.*.multiengines.result.ESET",
					"value": "${Threatbook_1.datalist.*.multiengines.result.ESET}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.K7",
					"name": "Threatbook_1.datalist.*.multiengines.result.K7",
					"value": "${Threatbook_1.datalist.*.multiengines.result.K7}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.detect_rate",
					"name": "Threatbook_1.datalist.*.multiengines.detect_rate",
					"value": "${Threatbook_1.datalist.*.multiengines.detect_rate}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneAV",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneAV",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneAV}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.name",
					"name": "Threatbook_1.datalist.*.signature.*.name",
					"value": "${Threatbook_1.datalist.*.signature.*.name}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.tid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.tid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.tid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.scan_time",
					"name": "Threatbook_1.datalist.*.multiengines.scan_time",
					"value": "${Threatbook_1.datalist.*.multiengines.scan_time}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.is_whitelist",
					"name": "Threatbook_1.datalist.*.summary.is_whitelist",
					"value": "${Threatbook_1.datalist.*.summary.is_whitelist}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Qihu360",
					"name": "Threatbook_1.datalist.*.multiengines.result.Qihu360",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Qihu360}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Sophos",
					"name": "Threatbook_1.datalist.*.multiengines.result.Sophos",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Sophos}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Antiy",
					"name": "Threatbook_1.datalist.*.multiengines.result.Antiy",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Antiy}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.GDATA",
					"name": "Threatbook_1.datalist.*.multiengines.result.GDATA",
					"value": "${Threatbook_1.datalist.*.multiengines.result.GDATA}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.time",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.time",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.time}"
				}, {
					"label": "Threatbook_1.status",
					"name": "Threatbook_1.status",
					"value": "${Threatbook_1.status}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.JiangMin",
					"name": "Threatbook_1.datalist.*.multiengines.result.JiangMin",
					"value": "${Threatbook_1.datalist.*.multiengines.result.JiangMin}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.call.return_value",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.call.return_value",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.call.return_value}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.AVG",
					"name": "Threatbook_1.datalist.*.multiengines.result.AVG",
					"value": "${Threatbook_1.datalist.*.multiengines.result.AVG}"
				}, {
					"label": "Threatbook_1.datalist.*.network.dns_servers",
					"name": "Threatbook_1.datalist.*.network.dns_servers",
					"value": "${Threatbook_1.datalist.*.network.dns_servers}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.description",
					"name": "Threatbook_1.datalist.*.signature.*.description",
					"value": "${Threatbook_1.datalist.*.signature.*.description}"
				}, {
					"label": "Threatbook_1.datalist.*.strings.pcap",
					"name": "Threatbook_1.datalist.*.strings.pcap",
					"value": "${Threatbook_1.datalist.*.strings.pcap}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.pid",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.pid",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.pid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.IKARUS",
					"name": "Threatbook_1.datalist.*.multiengines.result.IKARUS",
					"value": "${Threatbook_1.datalist.*.multiengines.result.IKARUS}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.first_seen",
					"name": "Threatbook_1.datalist.*.pstree.children.*.first_seen",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.first_seen}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.marks.*.type",
					"name": "Threatbook_1.datalist.*.signature.*.marks.*.type",
					"value": "${Threatbook_1.datalist.*.signature.*.marks.*.type}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.Avira",
					"name": "Threatbook_1.datalist.*.multiengines.result.Avira",
					"value": "${Threatbook_1.datalist.*.multiengines.result.Avira}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.ppid",
					"name": "Threatbook_1.datalist.*.pstree.children.*.ppid",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.ppid}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.MicroNonPE",
					"name": "Threatbook_1.datalist.*.multiengines.result.MicroNonPE",
					"value": "${Threatbook_1.datalist.*.multiengines.result.MicroNonPE}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.ssdeep",
					"name": "Threatbook_1.datalist.*.static.basic.ssdeep",
					"value": "${Threatbook_1.datalist.*.static.basic.ssdeep}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_size",
					"name": "Threatbook_1.datalist.*.static.basic.file_size",
					"value": "${Threatbook_1.datalist.*.static.basic.file_size}"
				}, {
					"label": "Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH",
					"name": "Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH",
					"value": "${Threatbook_1.datalist.*.multiengines.result.OneAV-PWSH}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.process_name.cn",
					"name": "Threatbook_1.datalist.*.pstree.process_name.cn",
					"value": "${Threatbook_1.datalist.*.pstree.process_name.cn}"
				}, {
					"label": "Threatbook_1.datalist.*.network.secret_info",
					"name": "Threatbook_1.datalist.*.network.secret_info",
					"value": "${Threatbook_1.datalist.*.network.secret_info}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.sha1",
					"name": "Threatbook_1.datalist.*.static.basic.sha1",
					"value": "${Threatbook_1.datalist.*.static.basic.sha1}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.track",
					"name": "Threatbook_1.datalist.*.pstree.children.*.track",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.track}"
				}, {
					"label": "Threatbook_1.datalist.*.summary.submit_time",
					"name": "Threatbook_1.datalist.*.summary.submit_time",
					"value": "${Threatbook_1.datalist.*.summary.submit_time}"
				}, {
					"label": "Threatbook_1.datalist.*.signature.*.severity",
					"name": "Threatbook_1.datalist.*.signature.*.severity",
					"value": "${Threatbook_1.datalist.*.signature.*.severity}"
				}, {
					"label": "Threatbook_1.datalist.*.permalink",
					"name": "Threatbook_1.datalist.*.permalink",
					"value": "${Threatbook_1.datalist.*.permalink}"
				}, {
					"label": "Threatbook_1.datalist.*.pstree.children.*.pid",
					"name": "Threatbook_1.datalist.*.pstree.children.*.pid",
					"value": "${Threatbook_1.datalist.*.pstree.children.*.pid}"
				}, {
					"label": "Threatbook_1.datalist.*.static.basic.file_name",
					"name": "Threatbook_1.datalist.*.static.basic.file_name",
					"value": "${Threatbook_1.datalist.*.static.basic.file_name}"
				}]
			}, {
				"label": "configuration",
				"value": "${configuration}",
				"children": [{
					"label": "configuration.datalist.*.triggerType",
					"name": "configuration.datalist.*.triggerType",
					"value": "${configuration.datalist.*.triggerType}"
				}, {
					"label": "configuration.datalist.*._req_uuid",
					"name": "configuration.datalist.*._req_uuid",
					"value": "${configuration.datalist.*._req_uuid}"
				}, {
					"label": "configuration.datalist.*.scope.*.aliUid",
					"name": "configuration.datalist.*.scope.*.aliUid",
					"value": "${configuration.datalist.*.scope.*.aliUid}"
				}, {
					"label": "configuration.datalist.*.process.start_time",
					"name": "configuration.datalist.*.process.start_time",
					"value": "${configuration.datalist.*.process.start_time}"
				}, {
					"label": "configuration.status",
					"name": "configuration.status",
					"value": "${configuration.status}"
				}, {
					"label": "configuration.datalist.*.process.proc_id",
					"name": "configuration.datalist.*.process.proc_id",
					"value": "${configuration.datalist.*.process.proc_id}"
				}, {
					"label": "configuration.datalist.*._tenant_id",
					"name": "configuration.datalist.*._tenant_id",
					"value": "${configuration.datalist.*._tenant_id}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.host_uuid",
					"name": "configuration.datalist.*.process.host_uuid.host_uuid",
					"value": "${configuration.datalist.*.process.host_uuid.host_uuid}"
				}, {
					"label": "configuration.total_data",
					"name": "configuration.total_data",
					"value": "${configuration.total_data}"
				}, {
					"label": "configuration.datalist.*._trigger_user",
					"name": "configuration.datalist.*._trigger_user",
					"value": "${configuration.datalist.*._trigger_user}"
				}, {
					"label": "configuration.datalist.*.process.host_uuid.os_type",
					"name": "configuration.datalist.*.process.host_uuid.os_type",
					"value": "${configuration.datalist.*.process.host_uuid.os_type}"
				}, {
					"label": "configuration.datalist.*.process.cmd_line",
					"name": "configuration.datalist.*.process.cmd_line",
					"value": "${configuration.datalist.*.process.cmd_line}"
				}, {
					"label": "configuration.datalist.*.triggerUser",
					"name": "configuration.datalist.*.triggerUser",
					"value": "${configuration.datalist.*.triggerUser}"
				}, {
					"label": "configuration.datalist.*._domain_id",
					"name": "configuration.datalist.*._domain_id",
					"value": "${configuration.datalist.*._domain_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.file_path",
					"name": "configuration.datalist.*.process.file_path.file_path",
					"value": "${configuration.datalist.*.process.file_path.file_path}"
				}, {
					"label": "configuration.total_data_with_dup",
					"name": "configuration.total_data_with_dup",
					"value": "${configuration.total_data_with_dup}"
				}, {
					"label": "configuration.total_exe_successful",
					"name": "configuration.total_exe_successful",
					"value": "${configuration.total_exe_successful}"
				}, {
					"label": "configuration.datalist.*.scope.*.cloudCode",
					"name": "configuration.datalist.*.scope.*.cloudCode",
					"value": "${configuration.datalist.*.scope.*.cloudCode}"
				}, {
					"label": "configuration.total_data_successful",
					"name": "configuration.total_data_successful",
					"value": "${configuration.total_data_successful}"
				}, {
					"label": "configuration.total_exe",
					"name": "configuration.total_exe",
					"value": "${configuration.total_exe}"
				}, {
					"label": "configuration.datalist.*.scope.*.userId",
					"name": "configuration.datalist.*.scope.*.userId",
					"value": "${configuration.datalist.*.scope.*.userId}"
				}, {
					"label": "configuration.datalist.*._region_id",
					"name": "configuration.datalist.*._region_id",
					"value": "${configuration.datalist.*._region_id}"
				}, {
					"label": "configuration.datalist.*.process.file_path.hash_value",
					"name": "configuration.datalist.*.process.file_path.hash_value",
					"value": "${configuration.datalist.*.process.file_path.hash_value}"
				}]
			}]
		},
		"isNode": true
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#d93026",
				"targetMarker": {
					"stroke": "#d93026"
				}
			}
		},
		"zIndex": 1,
		"id": "ae6ca05c-ebd1-41f1-a94d-489fdc308861",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic"
		},
		"router": {
			"name": "manhattan",
			"args": {
				"padding": 5,
				"excludeHiddenNodes": true,
				"excludeNodes": ["clone_node_id"]
			}
		},
		"source": {
			"cell": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4"
		},
		"visible": true,
		"target": {
			"cell": "e0082b2e-d82c-464f-a22f-9b67eb47a363"
		}
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#d93026",
				"targetMarker": {
					"stroke": "#d93026"
				}
			}
		},
		"zIndex": 1,
		"id": "8f084c6d-9afd-4ecb-8c9d-3c7824f9de2f",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic"
		},
		"router": {
			"name": "normal"
		},
		"source": {
			"cell": "58d87b7d-28d9-4f0e-b135-4adc4f1a70e4"
		},
		"visible": true,
		"target": {
			"cell": "8afdafcc-32aa-4ab2-b8b2-abafc4314e85"
		},
		"vertices": [{
			"x": -382,
			"y": -22
		}]
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#63ba4d",
				"targetMarker": {
					"stroke": "#63ba4d"
				}
			}
		},
		"zIndex": 1,
		"id": "e55e80d8-fab6-42ac-91ab-da7697ec80dd",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic"
		},
		"router": {
			"name": "normal"
		},
		"source": {
			"cell": "19fca1bc-4cf1-491e-9ae4-ee5d3f0c2f61"
		},
		"visible": true,
		"target": {
			"cell": "317dd1be-2d20-460e-977e-1fc936ffb583"
		},
		"vertices": [{
			"x": 158,
			"y": -247
		}]
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#d93026",
				"targetMarker": {
					"stroke": "#d93026"
				}
			}
		},
		"zIndex": 1,
		"id": "ba2021dc-533b-4ba3-a1a7-69f05f3c7515",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic"
		},
		"router": {
			"name": "manhattan",
			"args": {
				"padding": 5,
				"excludeHiddenNodes": true,
				"excludeNodes": ["clone_node_id"]
			}
		},
		"source": {
			"cell": "8afdafcc-32aa-4ab2-b8b2-abafc4314e85"
		},
		"visible": true,
		"target": {
			"cell": "317dd1be-2d20-460e-977e-1fc936ffb583"
		}
	}, {
		"shape": "custom-edge",
		"attrs": {
			"line": {
				"stroke": "#d93026",
				"targetMarker": {
					"stroke": "#d93026"
				}
			}
		},
		"zIndex": 1,
		"id": "c3c22836-585a-4f5e-a3ec-92ecedfad6ba",
		"data": {
			"nodeType": "sequenceFlow",
			"appType": "basic"
		},
		"router": {
			"name": "manhattan",
			"args": {
				"padding": 5,
				"excludeHiddenNodes": true,
				"excludeNodes": ["clone_node_id"]
			}
		},
		"source": {
			"cell": "e0082b2e-d82c-464f-a22f-9b67eb47a363"
		},
		"visible": true,
		"target": {
			"cell": "317dd1be-2d20-460e-977e-1fc936ffb583"
		}
	}]
}

fileReport

Retrieves detailed static analysis and dynamic analysis reports for a file. The reports include a summary, network behavior, behavioral signatures, static information, dropped file behavior, process behavior, and antivirus scan engine results.

Note

For more information, see the Threatbook document File Reputation Report.

Input parameters

Parameter	Description	Example
userId	The ID of the associated Alibaba Cloud account. Important You can set this to the ID of a member account managed by the current Alibaba Cloud account. For more information about how to add a member account, see Multi-account security management. If you omit this parameter, it defaults to the ID of the current Alibaba Cloud account.	XXX
cloudUserId	The Threatbook account ID. For more information, see Prerequisites.	7f7c*************7fcca4
resource	The hash (SHA256, SHA1, or MD5) of the file to analyze.	44d88612*************1278abb02f

Output parameters

Parameter	Description
multiengines	The detection results from antivirus scan engines. This is a JSON object that contains the following fields: result: The detection result from each scan engine. If no threat is detected, the value is `clean`. If a threat is detected, the value is the tag of the detected virus. scan_time: The time when the sample was scanned by multiple engines, for example, `2019-10-22 16:17:48`.
summary	The summary. This is a JSON object that contains the following fields: threat_level: The threat level, which is a comprehensive rating based on static analysis, multi-engine antivirus scans, and dynamic analysis in multiple sandbox environments. malicious: Malicious suspicious: Suspicious clean: Clean unknown: Unknown malware_type: The threat classification. For a complete list of threat classifications, see Complete List of Sample Threat Classifications. malware_family: The virus family, such as Xorddos. is_whitelist: Indicates whether the file is on the whitelist. true: The file is on the whitelist. false: The file is not on the whitelist. submit_time: The time the file was submitted, for example, `2019-01-22 17:36:21`. file_name: The file name. file_type: The file type. sample_sha256: The SHA256 hash of the file. md5: The MD5 hash of the file. sha1: The SHA1 hash of the file. scenes: Scenario detection. Cybercrime: Cybercrime sample. CS_Detect: Cobalt Strike trojan sample. RT_Tools: Red team tool. Exploit: Vulnerability exploit. HW202X: Major event support sample. The value varies by year. tag: The tags. This is a JSON object that contains the following fields: s: Static tags. This is a JSON array. An example is "abnormal timestamp". For some common tags, see Some Common Sample Tags. x: Antivirus engine detection tags. threat_score: The threat score. sandbox_type: The specified sandbox runtime environment for this analysis. For a complete list of runtime environments, see Complete List of Sandbox Runtime Environments. sandbox_type_list: A list of all sandbox runtime environments that successfully analyzed the sample. multi_engines: The detection rate of the antivirus scan engines.
signature	The behavioral signatures. This is a JSON array. Each item contains the following fields: severity: The severity level. This is an integer. A larger value indicates a higher severity. references: The references. This is a JSON array. sig_class: The signature classification. name: The name of the signature. description: The behavior description. markcount: The mark count. marks: The raw data of the signature. This is a JSON array. families: The sample families. This is a JSON array. attck_id: The ATT&CK ID. attck_info: The ATT&CK details. This is a JSON array.
static	The static information. This is a JSON object. For a complete example of a static information report response, see Complete Example of a File Static Information Report Response.
pstree	The process behavior.
network	The network behavior. fingerprint: The fingerprint information. This is a JSON array. tls: The TLS protocol. This is a JSON array. udp: The UDP protocol. This is a JSON array. dns_servers: The DNS service. This is a JSON array. http: The HTTP protocol. This is a JSON array. irc: The IRC protocol. This is a JSON array. smtp: The SMTP protocol. This is a JSON array. tcp: The TCP protocol. This is a JSON array. smtp_ex: The extended SMTP protocol data. This is a JSON array. mitm: The man-in-the-middle. This is a JSON array. hosts: The network hosts. This is a JSON array. dns: The domain name system. This is a JSON array. http_ex: The extended HTTP protocol data. This is a JSON array. domains: The domain names. This is a JSON array. dead_hosts: The dead hosts. This is a JSON array. icmp: The ICMP protocol. This is a JSON array. https_ex: The extended HTTPS protocol data. This is a JSON array.
dropped	The dropped file behavior. This is a JSON array. Each item contains the following fields: sha1: The SHA1 hash of the file. This is a string. sha256: The SHA256 hash of the file. This is a string. md5: The MD5 hash of the file. This is a string. urls: The extracted URLs. This is a JSON array. size: The file size. This is an integer. filepath: The file path. This is a string. name: The file name. This is a string. crc32: The CRC32 hash of the file. This is a string. ssdeep: The ssdeep hash of the file. This is a string. type: The file type. This is a string. yara: The YARA results. This is a JSON array.
strings	String-related information. This is a JSON object that contains the following fields: sha256: An array of static strings extracted from the file. pcap: An array of strings extracted from the captured network traffic.
permalink	The URL of the web sandbox report page.

iocReport

Analyzes IP addresses and domain names in outbound access scenarios, such as from an office network or a production network. It determines whether an IP address or domain name is malicious, assesses its severity and confidence level, identifies threats such as C2, malware, and mining pools, and provides associated security event or threat actor tags.

Note

For more information, see the Threatbook document Compromise Detection.

Input parameters

Parameter	Description	Example
userId	The ID of the associated Alibaba Cloud account. Important You can specify the ID of a member account that is managed by the current Alibaba Cloud account. For more information about how to add a member account, see Multi-account Security Management. If this parameter is omitted, the current Alibaba Cloud account is used.	XXX
clouldUserId	The Threatbook account ID. For more information, see Prerequisites.	7f7c*************7fcca4
resource	An IP address or domain name. To query multiple resources, separate them with commas. You can specify up to 100 resources. Note You can include a port number for an IP address.	test.com or 0.0.0.0:80

Output parameters

Type	Parameter	Description
ip	is_malicious	Indicates whether the resource is malicious. `true`: The resource is malicious. `false`: The resource is not malicious.
	confidence_level	The confidence level of the assessment. `high`: High `medium`: Medium `low`: Low
	severity	The overall severity of the threat. `critical`: Critical `high`: High `medium`: Medium `low`: Low `info`: No threat
	judgments	The threat type, which varies depending on whether the indicator of compromise (IOC) is malicious. Malicious `C2`: A C2 server. `Sinkhole C2`: A C2 server that has been sinkholed by a security organization. `MiningPool`: A public mining pool. `CoinMiner`: A private mining pool. `Malware`: Associated with malware distribution or activity. Not malicious `Whitelist`: The resource is on a whitelist. `Info`: Basic information. Note For a complete list of `Info` sub-types, see All threat types.
	tags_classes	Information about associated threat actors or security events, returned as a JSON array where each object contains the following fields: `tags_type`: The category of the tag, such as `industry`, `gangs` (threat actor), or `virus_family`. `tags`: The specific tag for the threat actor or security event, such as `APT` or `OceanLotus`.
	permalink	Link to intelligence details. A URL to the full threat intelligence analysis page for the resource.
domain	categories	The categories of the domain name, returned as a JSON object that contains the following fields: `first_cats`: The level-1 category. This is an array. `second_cats`: The level-2 category. This is a string. In addition to the `categories` field, a response for a domain name includes the same fields as a response for an IP address, such as `is_malicious` and `severity`.

ipReport

Analyzes IP addresses and domain names in outbound access scenarios, such as from an office network or a production network. This feature assesses if an IP address or domain name is malicious and determines its severity level and confidence level. It identifies threats such as Command and Control (C2), malware, and mining pools, and provides associated security event or threat actor tags.

Note

For more information, see the Threatbook document IP Reputation.

Input parameters

Parameter	Description	Example
userId	The ID of the associated Alibaba Cloud account. Important You can specify the ID of a member account that is managed by the current Alibaba Cloud account. For more information about how to add a member account, see Multi-account security management. If this parameter is not specified, the current Alibaba Cloud account is used.	XXX
cloudUserId	The Threatbook account ID. For more information, see Prerequisites.	7f7c*************7fcca4
resource	Up to 100 comma-separated IP addresses.	0.0.0.0

Output parameters

Parameter	Description
basic	A JSON object containing basic information, with the following fields: carrier: The carrier or service provider. location: A JSON object containing geographic information for the IP address, with the following fields: country: The country. country_code: The country code. province: The province. city: The city. lng: The longitude. lat: The latitude.
is_malicious	Indicates if the IP address is malicious. true: The IP address is malicious. false: The IP address is not malicious.
confidence_level	The confidence level of the assessment, which is determined by the intelligence source and a confidence model. low: Low medium: Medium high: High
severity	The severity level, which indicates the degree of harm of the threat. critical: Critical high: High medium: Medium low: Low info: No threat
judgments	A JSON array of comprehensive threat types identified through threat intelligence analysis. Malicious types: Spam: spam Zombie: zombie Scanner: scan Exploit: vulnerability exploit Botnet: botnet Brute Force: brute-force attack Note For subclasses related to Brute Force, see Full set of threat types. Non-malicious types: Whitelist: whitelist. Info: basic information.
tags_classes	A JSON array describing associated threat actors or security events. Each object in the array contains the following fields: tags_type: The tag category, such as "industry", "gangs" (threat actor), or "virus_family". tags: The specific tag for the threat actor or security event, such as Mirai.
asn	A JSON object containing ASN information, with the following fields: number: The ASN. info: The AS name. rank: The risk value. The value ranges from 0 to 4. A larger value indicates a higher risk.
update_time	The time when the intelligence was last updated.
scene	The use case. Examples include leased line and data center. For a complete list, see Application Scenario Classification.
feature	A JSON array of asset features, with the following fields: category: The category. For details about categories, see IP Reputation · Advanced Field Classification. tag_name: The specific asset feature tag. tag_desc: The description of the tag.
entity	A JSON array of attributed entities, with the following fields: category: The level-1 category. For details about categories, see IP Reputation · Advanced Field Classification. type: The level-2 category. tag_name: The specific attributed entity tag. tag_desc: The description of the tag.
hist_behavior	A JSON array of attack behaviors, with the following fields: category: The category. For details about categories, see IP Reputation · Advanced Field Classification. tag_name: The specific attack behavior tag. tag_desc: The description of the tag. vuln_id: The specific vulnerability ID when the category is "vulnerability exploit."
evaluation	A JSON object containing the impact assessment, with the following fields: active: The activity level. high: High medium: Medium low: Low honeypot_hit: Indicates if a honeypot captured the IP address. true: Captured by a honeypot. false: Not captured by a honeypot.
fraud	A JSON array of fraud and abuse behaviors, with the following fields: tag_name: The specific fraud and abuse tag. tag_desc: The description of the tag.
permalink	A permalink to the threat intelligence query result page for the IP address.

Reference

For Threatbook's response status codes and message descriptions, see Response status codes and message descriptions.

Parameter	Description
Vendor	ThreatBook.
Product	Threat Intelligence Cloud API.
Account ID	Your ThreatBook account ID.
API key	Your ThreatBook API key.