Area1

  • Updated on Jan 26, 2025
  • Published on Mar 14, 2024
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Area 1 Alerts

✅

✅

areaone_alerts

NDJSON

API

Area 1 Indicators

✅

areaone_indicators

NDJSON

API

Overview

imageCloudflare Area 1, recently merged into Cloudflare, comprehensively defends against sophisticated threats by stopping phish at the earliest stages of the attack cycle.

Integrating Area 1 into Hunters allows the collection and ingestion of key data types into the data lake. Furthermore, alerts will be created over the logs, auto-investigated and correlated to other related signals.

Supported data types

Area 1 Alerts

Table name: areaone_alerts

Email alerts generated by Area 1.

Area 1 Indicators

Table name: areaone_indicators

Indicators reported by Area 1.

Send data to Hunters

Hunters support API collection for Area 1 events.

To connect Area1 logs:

  1. Navigate to API Authentication and Authorization section and follow this guide to gather the following API keys from Area1:

    • Public Key

    • Private Key

  2. Complete the process on the Hunters platform, following this guide.

Expected format

Area 1 Alerts sample

{ "source": "area1security", "time": 1678348978033, "event": { "final_disposition": "MALICIOUS", "delivery_mode": "DIRECT", "attachments": [ { "sha1": "9817e37aa1e615713e3049979542ca41e2abcb37", "sha256": "e3baa939f091b712bd5d96d2a826c136d969bd9b1b57065febbb7492b1cbef69", "content_type_provided": "image/jpeg", "content_type_computed": "image/jpeg", "name": "image003.jpg", "ssdeep": "48:lX6uERAL3EZ+XRjeG7tma95wp5RQf/gMo/SNXI38mfKDNVBLWrQg:l9EMg+jeG7TedQfIMoqRxEfLsQg", "md5": "965364701f344f098ae913cb59b6aa1c", "extension": "jpg", "att_size": 123456 } ], "smtp_helo_server_name": "mail.example.net", "envelope_to": [ "user@example.com" ], "subject": "Potential Partnership", "smtp_helo_server_ip_as_name": "LIQUIDWEB - Liquid Web, L.L.C, US", "alert_reasons":["Malicious previous hop domain server 'mail.example[dot]net'","no really, it's a very mailicious domain 'example[dot]net'"], "encrypted_feature_count": null, "message_id": "<002001d3db86$7bb1b220$73660$@example.com.ph>", "replyto_name": null, "from_name": "Christine", "smtp_helo_server_ip": "192.168.1.184", "smtp_helo_server_ip_geo": "US/-/-", "smtp_helo_server_ip_as_number": "3232235960", "envelope_from": "christine@example.com.ph", "alert_id": "40VVylabcbz7pJj-2022-04-24T04:41:19", "replyto": "christine@example.com.ph", "from": "CEO Christine <christine@example.com.ph>", "to": [ "user@example.com" ], "links": [ "http://uh-oh.thisisa.com/badlink", "http://another-malicious-link.xyz/" ], "ts": "2022-04-24T04:41:19Z" } }

Area 1 Indicators sample

{"item_name": "a1bcde2f3g4567890h12i34j56klm7n8", "first_seen": 1679294444759, "threat_name": "Area 1 Identified Malicious", "threat_categories": [{"classification_disposition": ["Unclassified"], "threat_type": ["Threat Type1"], "category": ["Category1"]}], "last_seen": 1679294444759, "item_type": "filehash"}