Current ThreatQ Version Filter

Deception Logic HoneyDB CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.44.0

Support Tier

ThreatQ Supported

Introduction

The Deception Logic HoneyDB CDF ingests data from HoneyDB Bad Hosts; a feed that consumes information published by HoneyDB about bad hosts. A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB.

The integration provides the following feed:

HoneyDB Bad Hosts - ingests IP Address indicators from the HoneyDB.

The integration ingests indicators (IP Addresses) into the ThreatQ platform.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
API ID	Your HoneyDB API ID.
API Key	Your HoneyDB API Key.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

HoneyDB Bad Hosts

The HoneyDB Bad Hosts feed ingests IP Address indicators.

GET https://honeydb.io/api/bad-hosts

Sample Response:

[
   {
      "remote_host":"121.183.78.86",
      "count":"203",
      "last_seen":"2015-09-07"
   },
   {
      "remote_host":"117.12.127.121",
      "count":"203",
      "last_seen":"2015-09-07"
   },
   {
      "remote_host":"60.3.51.115",
      "count":"203",
      "last_seen":"2015-09-07"
   }
]

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
[].remote_host	Indicator.Value	IP Address	N/A	121.183.78.86	N/A

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Deception Logic HoneyDB CDF Guide v1.0.0	4.44.0 or Greater