Resilient Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.2.0 |
| Compatible with ThreatQ Versions | >= 4.47.0 |
| Support Tier | ThreatQ Supported |
Introduction
The Resilient Operation for ThreatQuotient enables a ThreatQ user to create Resilient incidents directly from ThreatQ. It also lets you query Resilient from ThreatQ to search if an indicator is related to an incident in Resilient.
The operation provides the following actions:
- Create - creates the selected event (from ThreatQ) as an Incident in Resilient.
- Enrich Indicator - checks if the indicator is an existing artifact that is related to incidents.
The operation is compatible with Events and Indicators.
Prerequisites
This operation requires users to have an api key set up for resilient with the proper permissions. To execute both actions the api key needs the ability to create and read artifacts and incidents.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description Host Enter the hostname or IP address for your Resilient Server. Email Enter a Resilient email address to authenticate with your Resilient Server. Password Enter the password associated with the above email address. Organization Enter the Organization for the specified user from Resilient. Time Zone Select the time zone for your Resilient instance. This is used for syncing occurrence dates with ThreatQ. Custom Attribute Mapping You can map ThreatQ Attributes to Resilient Custom Fields here. Each mapping is line-delimited, and equals-separated. The Resilient Custom Field name must be the programmatic API name (found in Customization Setting)
Custom Field Mapping Example
ThreatQ Attribute Name=Resilient Custom Field API Name
MITRE Attack Tactic Name=mitre_tactic_name Threat Confidence=confidence_level
Custom Object Mapping You can map ThreatQ Objects to Resilient Custom Fields here. Each mapping is line-delimited, and equals-separated. The Resilient Custom Field name must be the programmatic API name (found in Customization Setting).
Custom Field Mapping Example
ThreatQ Attribute Name=Resilient Custom Field API Name
TTP=mitre_technique_name
- Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Create | Creates the selected event (from ThreatQ) as an Incident in Resilient. | Event | N/A |
| Enrich Indicator | Checks if the indicator is an existing artifact that is related to incidents. | Indicator | All |
Change Log
- Version 1.1.2
- N/A
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| Resilient Operation Guide v1.0.0 | 4.29.0 or Greater |
| Resilient Operation Guide v1.0.0 | 4.29.0 or Greater |