Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version	1.0.0
Compatible with ThreatQ Versions	>= 4.20.0
Support Tier	ThreatQ Supported

Introduction

The Cisco Threat Response Operation for ThreatQuotient enables a user to query Cisco Threat Response for contextual information on a given indicator of compromise.

The operation provides the following action:

• Enrich - queries Cisco Threat Response for any enrichment context it has on an indicator.

The operation is compatible with the following indicator types:

Email Subject FQDN File Path Filename IP Address IPv6 Address

MAC Address MD5 Mutex SHA-1 SHA-256 Username

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Operation option from the Type dropdown (optional).
3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Region	The region of your Cisco Threat Response instance.
   API Client ID	Your Cisco Threat Response API Client ID.
   API Client Secret	Your Cisco Threat Response API Client Secret.

5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The operation provides the following action:

Action	Description	Object Type	Object Subtype
Enrich	Queries Cisco Threat Response for any enrichment context it has on an indicator.	Indicator	Email Subject, FQDN, File Path, Filename, IP Address, IPv6 Address, MAC Address, MD5, Mutex, SHA-1, SHA-256, Username

Enrich

The Enrich action queries Cisco Threat Response for any enrichment context it has on an indicator.

Example Output

Change Log

• Version 1.0.0
  • Initial release