ThreatQ Object Operation
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.1.0 |
| Compatible with ThreatQ Versions | >= 6.0.0 |
| Support Tier | ThreatQ Supported |
Introduction
ThreatQ Object operation allows a ThreatQ user to interact with objects in complex ways to better manage the Threat Library.
The operation provides the following actions:
- Object Clone - creates a new object based on the original.
- Inherit from Children - bubble-up relationships and other context from child relationships.
The operation is compatible with the following system objects:
- Event
- Campaign
- Attack Pattern
- Malware
- Exploit Target
- Asset
- Tool
- Adversary
- TTP
- Report
- Intrusion Set
- Course Of Action
- Signature
- Vulnerability
- Identity
- Incident
- Indicator
Installation
Perform the following steps to install the integration:
The same steps can be used to upgrade the integration to a new version.
- Log into https://marketplace.threatq.com/.
- Locate and download the integration whl file.
- Navigate to the integrations management page on your ThreatQ instance.
- Click on the Add New Integration button.
- Upload the integration file using one of the following methods:
- Drag and drop the file into the dialog box
- Select Click to Browse to locate the integration file on your local machine
ThreatQ will inform you if the operation already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the operation contains changes to the user configuration. The new user configurations will overwrite the existing ones for the operation and will require user confirmation before proceeding.
The operation is now installed and will be displayed in the ThreatQ UI. You will still need to configure and then enable the operation.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Operation option from the Type dropdown (optional).
- Click on the integration entry to open its details page.
- Click on the toggle switch, located above the Additional Information section, to enable it.
You can set specific configuration parameters for the actions, referred to as Run Configuration Options in this guide, after selecting the operation from an object's details page or from a ThreatQ Investigation. See the Run Configuration Options sections for the Object Clone and Object Inherit from Children actions for more details.
Actions
The operation provides the following actions:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| Object Clone | Creates a new object based on the original. | All Seeded ThreatQ System Objects | N/A |
| Object Inherit from Children | Bubble-up relationships and other context from child relationships. | All Seeded ThreatQ System Objects | N/A |
Object Clone
The Object Clone action creates a new object based on the original.
Run Configuration Options
The following configuration options are available after selecting the action:
These configuration options are set after selecting the Object Clone action to run against an object and are not set from the operation's configuration screen.
| Configuration | Description |
|---|---|
| New Value / Name / Title (Optional) | The new value (or title/name) to give to the cloned object. If none provided, a prefix will be added. Example: <original value> - CLONE. |
| Cloned Object Type | Select the type of object to clone this object to. The default is the original object type. |
| Copy Selected Relationships | Select the relationships to copy to the cloned object. |
| Copy Primary Description | Enabling this will copy the primary description to the cloned object. |
| Copy Non-Primary Description | Enabling this will copy the non-primary description to the cloned object. |
| Copy Tags | Enabling this will copy all tags to the cloned object. |
| Copy Attributes | Enabling this will copy all attributes (including their sources) to the cloned object. |
| Relate Cloned Object to Original | Enabling this will relate the cloned object to the original object. |
Object Inherit from Children
The Object Inherit from Children action bubble-ups relationships and other context from child relationships.
Run Configuration Options
The following configuration options are available after selecting the action:
These configuration options are set after selecting the Object Inherit from Children action to run against an object and are not set from the operation's configuration screen.
| Configuration | Description |
|---|---|
| Select the objects you want to inherit context from | Select which objects you'd like context inherited from. |
| Select the sub-relationships you'd like to inherit | Select which objects you'd like to inherited from this object's sub-relationships. |
| Inherit Tags | Enable this option for bubble up tags to this object. |
| Inherit Attributes | Enable this option to bubble up attributes to this object. |
| Batch Size | Enter the size of the object's relationships batch. |
Change Log
- Version 1.1.0
- Added support for copying multiple descriptions (primary vs non-primary) for the Object Clone action.
- Made the following updates to the Object Clone run configuration parameters:
- Removed the Copy Description parameter.
- Added the following new run parameters:
- Copy Primary Description - enable this run configuration parameter to copy the primary description.
- Copy Non-Primary Description - enable this run configuration parameter to copy the non-primary description.
- Updated the minimum ThreatQ version to 6.0.0.
- Version 1.0.3
- Resolved a timeout issue when submitting a large number of relationships. Relationships will now be grouped and submitted in batches.
- Version 1.0.2
- Resolved an issue where cloning a custom object resulted in a TypeError.
- Version 1.0.1
- Updated the hostname for all requests.
- Updated the minimum ThreatQ version to 5.15.0. This was incorrectly reported as 5.14.0 in a previous announcement.
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| ThreatQ Object Operation Guide v1.1.0 | 6.0.0 or Greater |
| ThreatQ Object Operation Guide v1.0.3 | 5.15 or Greater |
| ThreatQ Object Operation Guide v1.0.2 | 5.15 or Greater |
| ThreatQ Object Operation Guide v1.0.1 | 5.15 or Greater |
| ThreatQ Object Operation Guide v1.0.0 | 4.35 or Greater |