Investigation Actions Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.20.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Investigation Actions Operation for ThreatQuotient allows a ThreatQ user to execute additional actions on their investigations. This is to enhance the user's interaction with the creation and use of investigations within ThreatQ.
The operation provides the following actions:
- Start - allows a ThreatQ user to start an investigation from any base ThreatQ object (indicator, adversary, event, attachment).
- Add - allows a ThreatQ user to add any base ThreatQ object to an investigation (indicator, adversary, event, attachment).
- Clone - allows a ThreatQ user to clone an investigation from any base ThreatQ object (indicator, adversary, event, attachment).
- Merge - allows a ThreatQ user to merge related investigations to any base ThreatQ object (indicator, adversary, event, attachment).
The operation is compatible with the following object types:
- Attachment
- Adversary
- Indicator
- Event
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type |
|---|---|---|
| Start | Allows a ThreatQ user to start an investigation from any base ThreatQ object. | Indicator, Adversary, Event, Attachment |
| Add | Allows a ThreatQ user to add any base ThreatQ object to an investigation. | Indicator, Adversary, Event, Attachment |
| Clone | Allows a ThreatQ user to clone an investigation from any base ThreatQ object. | Indicator, Adversary, Event, Attachment |
| Merge | Allows a ThreatQ user to merge related investigations to any base ThreatQ object. | Indicator, Adversary, Event, Attachment |
Start
The Start action allows a ThreatQ user to start an investigation from any base ThreatQ object.
The action provides the following parameters:
| Parameter | Description |
|---|---|
| Investigation Name | The name for the new investigation. |
| Status | The status for the new investigation. |
| Priority | The priority for the new investigation. |
| Visibility | The visibility for the new investigation.
This parameter can only be set to Shared at this time. |
| Description | The description for the new investigation. |
| Include Related Indicators | Whether or not to include related indicators in the new investigation. |
| Include Related Events | Whether or not to include related events in the new investigation. |
| Include Related Adversaries | Whether or not to include related adversaries in the new investigation. |
| Include Related Attachments | Whether or not to include related attachments in the new investigation. |
| Include Related Custom Objects | Whether or not to include related custom objects in the new investigation. |
Add
The Add action allows a ThreatQ user to add any base ThreatQ object to an investigation.
The action provides the following parameters:
| Parameter | Description |
|---|---|
| Investigation Name | The name of the investigation. |
Clone
The Clone allows a ThreatQ user to clone an investigation from any base ThreatQ object.
The action provides the following parameters:
| Parameter | Description |
|---|---|
| Investigation to Clone | The name of the investigation to clone. |
| Investigation Name | The name of the new investigation. |
| Status | The status of the new investigation. |
| Priority | The priority of the new investigation. |
| Visibility | The visibility for the new investigation.
This parameter can only be set to Shared at this time. |
| Description | The description of the new investigation. |
Merge
The Merge action allows a ThreatQ user to add any base ThreatQ object to an investigation.
The action provides the following parameters:
| Parameter | Description |
|---|---|
| Investigation Name | The name for the merged investigation. |
| Status | The status for the merged investigation. |
| Priority | The priority for the merged investigation. |
| Visibility | The visibility for the merged investigation.
This parameter can only be set to Shared at this time. |
| Description | The description for the merged investigation. |
Known Issues / Limitations
- All created investigations will be created as Shared. To change this, it will need to be changed manually to Private if needed. To merge or clone investigations, the investigations will need to be Shared.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Investigation Actions Operation Guide v1.0.0 | 4.20.0 or Greater |