Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The AskSage.ai Action Bundle for ThreatQ enables organizations to train datasets using content from their Threat Library, then query the trained models to generate reports and insights based on the organization's specific requirements.

AskSage.ai specializes in providing government-grade secure environments to train and query a variety of AI models. It supports over 20 large language models (LLMs) and hundreds of plugins/personas to provide a wide range of capabilities and perspectives. Using these models, organizations can securely train models against specific datasets, allowing them to query the models for curated insights based on the organization's needs.

The integration provides the following actions:

• AskSage.ai - Train Dataset - submits selected reports to an AskSage Dataset for training.
• AskSage.ai - Generate Report - queries an AskSage Dataset to generate a report based on the organization's specific requirements.

The actions are compatible with and return enriched Report objects.

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing the Report objects.
• A valid AskSage.ai API Key.

  A free trial is available at https://asksage.ai.

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Contact the ThreatQuotient support team, support@threatq.com, to request the integration file. 

   This integration cannot be downloaded from the ThreatQ Marketplace.

2. Navigate to the integrations management page on your ThreatQ instance.
3. Click on the Add New Integration button.
4. Upload the action zip file using one of the following methods:
   • Drag and drop the zip file into the dialog box
   • Select Click to Browse to locate the zip file on your local machine
5. Select the actions to install, when prompted, and click on Install.

   ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.

You will still need to configure the action.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   Train Dataset Parameters

   Parameter	Description
   Accept the User Agreement	Click on Accept the User Agreement checkbox to reveal the User Agreement and then select I Agree.
   Email	Enter the AskSage.ai email address that you use to authenticate with AskSage.ai.   You must click on the I Agree checkbox in order to access this parameter.
   API Key	Enter your AskSage.ai API key.   You must click on the I Agree checkbox in order to access this parameter.
   Model Selection	Select which model to use for generating the intelligence report. Options include: GPT 4o Gov (default) AWS Bedrock Titan LLMA3 Claude2 Claude 3 Opus Claude 3 Sonnet Claude 35 Sonnet Cohere Mistral Large GPT Gov GPT4 Gov GPT GPT4 GPT4 32k GPT35 16k GPT4 Vision GTP 4o GTP 4o Mini DALL-E 2 DALL-E 3 Google Bison Google Gemini Pro Groq 70b GPT O1 GPT O1 Mini XAI Grok You must click on the I Agree checkbox in order to access this parameter.
   Threat / Topic (Dataset Name)	Enter the threat or topic that this report is about. This will allow us to train a specific dataset for this threat. You can also set up multiple workflows pointing to the same dataset to train the model on different reports. You must click on the I Agree checkbox in order to access this parameter.
   Enable SSL Certificate  Verification	Enable this for the action to validate the host-provided SSL certificate.
   Disable Proxies	Enable this option if the action should not honor proxies set in the ThreatQ UI.

   
   

   Generate Report Parameters

   Parameter	Description
   Accept the User Agreement	Click on Accept the User Agreement checkbox to reveal the User Agreement and then select I Agree.
   Email	Enter the AskSage.ai email address that you use to authenticate with AskSage.ai.   You must click on the I Agree checkbox in order to access this parameter.
   API Key	Enter your AskSage.ai API key.   You must click on the I Agree checkbox in order to access this parameter.
   Threat / Topic (Dataset Name)	Enter the threat or topic that this report is about. This will allow you to link the report to the dataset that was trained for this threat. If no threat/dataset is entered, the report will be generated using the global, All dataset (not recommended). You must click on the I Agree checkbox in order to access this parameter.
   System Prompt / Backstory	Enter the system prompt for the LLM model. This will be used to set the scene for the model when asking it to generate the report. You must click on the I Agree checkbox in order to access this parameter.
   Prompt	Enter a prompt for the LLM model. This will be used to generate the report, in addition to the system prompt. You must click on the I Agree checkbox in order to access this parameter.
   Industry	Enter the industry that this report is for. This will be used when asking the model to generate the report for this threat.  You must click on the I Agree checkbox in order to access this parameter.
   Enable SSL Certificate  Verification	Enable this for the action to validate the host-provided SSL certificate.
   Disable Proxies	Enable this option if the action should not honor proxies set in the ThreatQ UI.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.

Actions

The following actions are available:

{
  "status": 200,
  "response": [-1.01596829346, 0.23845782520925, 1.23293754928234]
}

{
  "status": 200,
  "response": "<The generated report>",
  "references": ["[1] Source Content 1", "[2] Source Content 2"]
}

Enriched Data

Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.

Generate Report

Use Case Example

Premise: I am an Analyst that wants to get weekly reports on the latest happenings with a threat actor targeting my organization, FIN7. I already have blog posts, news, and threat reports being ingested into my Threat Library as reports.

Training a Dataset

1. I create a Threat Library data collection targeting those reports, but only the ones that mention FIN7.
2. I create and enable a workflow that uses the AskSage.ai - Train Dataset action to train a dataset on the FIN7 reports.
3. I reload my Threat Library data collection, and run the workflow I just created.

The selected reports will be sent to your AskSage.ai tenant for processing and training.

Generating a Report

1. I create a new workflow that uses the AskSage.ai - Generate Report action.
2. In the action's configuration, I select the same FIN7 Dataset that I trained in the previous step I do this by entering the same name for the Topic / Dataset field as I did for the training action.
3. I provide a system prompt and a prompt for the model to generate the report I enable and run the workflow to generate the report.
4. I wait up to a couple of minutes for the report to be generated and indexed in the Threat Library.
5. I open my Threat Library to the Report objects and find the generated report by searching for reports with the source, AskSage.ai and review the it to see the insights generated by the model

Known Issues / Limitations

• Both actions, Train Dataset and Generate Reports,  will use your allocated AskSage tokens. Because of this, the action can currently only be run manually. You can invoke the actions from the Threat Library, an Object Details page, or the Workflow configurator page. This is to ensure that you understand what you are sending to AskSage and prevent accidental overuse of your tokens.

Change Log

• Version 1.0.0
  • Initial release