Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

FS-Group is a leader in the field of research and cyber threat prevention. The company’s Ukraine-based experts have successfully engaged in the investigation of high-tech crimes through the use of security audits of computer systems and the implementation of integrated network solutions. Government agencies, private companies, and individual entities are among FS-Group's client base.

The integration provides the following action:

• FS-Group Enrich IP Address - retrieves all the info for submitted IP Addresses.

The action is compatible with the following IP Address type Indicators.

The action returns the following enriched indicator types:

• FQDN
• IP Addresses

This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.

Prerequisites

• An active ThreatQ TDR Orchestrator (TQO) license.
• A data collection containing IP Address type indicators.
• A FS-Group API Key.
• The public IP address of your ThreatQ Instance must whitelisted by the FS-Group provider.  

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the action zip file.
3. Navigate to the integrations management page on your ThreatQ instance.
4. Click on the Add New Integration button.
5. Upload the action zip file using one of the following methods:
   • Drag and drop the zip file into the dialog box
   • Select Click to Browse to locate the zip file on your local machine

   ThreatQ will inform you if the action already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the action contains changes to the user configuration. The new user configurations will overwrite the existing ones for the action and will require user confirmation before proceeding.

You will still need to configure the action.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
 

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Actions option from the Category dropdown (optional).
3. Click on the action entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.

   Parameter	Description
   API Key	Your FS-Group API Key.
   Disable Proxies	Enable this parameter if the action should not honor the proxies set in ThreatQ.
   Enable SSL Verification	When enabled, the action validates the host-provided SSL certificate.  This option is enabled by default.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.

Actions

The following action is available:

[
    {
        "103.234.119.248": {
            "data": [],
            "meta": {
                "enrichment": {
                    "asn": 150306,
                    "asn_name": "dewan enterprise",
                    "city": "rangpur sadar",
                    "conn_speed": "broadband",
                    "conn_type": "wifi",
                    "count": 122,
                    "country": "Bangladesh",
                    "country_code": "bd",
                    "criminal": true,
                    "ip": "103.234.119.248",
                    "isp": "dewan enterprise",
                    "latitude": 25.75,
                    "listed_location": null,
                    "longitude": 89.23,
                    "method": "website",
                    "ns_name": "104-195-225-43.cpe.teksavvy.com",
                    "organization": "dewan enterprise",
                    "proxy": true,
                    "proxy_description": null,
                    "proxy_type": null,
                    "region": "f",
                    "source_description": "This IP address has been associated with a proxy network providing residential and datacenter services.",
                    "source_id": "f15c917a-9d2e-4fe9-9fde-80bc0221f79f",
                    "source_name": "pyproxy",
                    "source_type": "proxy",
                    "tags": [
                        "Proxy",
                        "Criminal",
                        "Exit"
                    ],
                    "timestamps": [
                        {
                            "context": "first_seen",
                            "raw": "2024-04-23T00:00:00.000000Z",
                            "value": 1713830400
                        },
                        {
                            "context": "last_seen",
                            "raw": "2024-10-15T00:00:00.000000Z",
                            "value": 1728950400
                        }
                    ],
                    "url": "pyproxy.com"
                },
                "total": 0,
                "version": "4.33.8"
            }
        }
    },
    200
]

Enriched Data

Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.

Known Issues / Limitations

• This provider works with an IP whitelist; to ingest data from this feed, the public IP address of the ThreatQ instance must be whitelisted by FS-Group.

Change Log

• Version 1.0.0
  • Initial release