ThreatQuotient Best Practices

ThreatQuotient provides best practices recommendations as guidelines for maximizing your use of our products and services. These recommendations leverage customer feedback and experiences as well as our industry knowledge.

ThreatQuotient updates this information biannually and recommends you reference the most recent version to keep up with the current best practices guidelines.

General

Upgrades

• Sign up for Release Note notifications via Product Emails.
• User acceptance testing (UAT) including soak testing.
• Upgrade to the latest version after UAT. At minimum, do not lag by more than one release.

User Access/Permissions

• Each ThreatQ instance must have at least one user account with Maintenance or Administrator privileges.
• Ensure that users and systems have the minimum access privileges required to perform their job functions. Perform periodic reviews of permission levels to ensure they are still appropriate.
• Control access to data collections, dashboards, and investigations by assigning sharing permissions.
• Avoid tying integrations to a single employee’s login:
  • Use a non-user account to install integrations. For example, set up a ThreatQ user ID named TQ Integrations associated with a group email address (ex: integrations@threatq.com) so your entire team receives email notifications for it.
  • If an integration provider also requires a login/password, set up a non-user account on the integration provider side.
• After applying a new ThreatQ license which adds or removes a product, review existing user account permissions and update them to grant or remove access. For example, after you add a ThreatQ Data Exchange license, you will need to give users access to view, create, or edit OpenDXL transports or TAXII server pages by adding the Edit Data Exchange Feeds action permission.

ThreatQ Backups

• Establish and maintain a backup schedule and retention policy that, at a minimum, includes backups before upgrades as well as nightly backups.
• Run backups during a scheduled maintenance window outside of critical availability periods.  Or, run an online backup which backs up your database without performing a Solr backup and allows users to work in ThreatQ as the backup runs.
• Store backups on a mounted drive or file location rather than the local file system.
• Documented disaster recovery plan.

Environment Specifications

• As your data storage increases, verify that your environment meets Virtual and BYOD System Requirements.
• Verify that your proxy configuration meets ThreatQ published standards for user interface processes and connectors.
• Configure chrony as your Network Timing Protocol (NTP) client.
• Verify that your time server is compatible with RKE2.

System Health Monitoring

• As of ThreatQ v5.11, you can no longer log into the ThreatQ Monitoring Platform with a root login. If not already completed, set up a non-root Admin or Maintenance user account for access.
• Use the ThreatQ Monitoring Platform to monitor system resources and logs.
• Ensure your internal network monitoring system and Ops team monitor the ThreatQ platform. This monitoring should include platform health (storage and CPU utilization) as well as Critical System process monitoring.

Intel Policy

• Implement a False Positive Management process that includes criteria and methods for identifying, reviewing, and removing unhelpful intel and its sources.

Technical Support

Reporting Issues

• To report a Support issue, use one of the following options listed on the Help Center:
  • Email
  • Web
  • Phone or Live Chat - Use these options for urgent requests.
• When describing the issue, include information on actual behavior and expected behavior as well as your current application and integration versions if relevant.
• Describe any recent internal/external changes to your environment such as network changes or upgrades.
• Provide error logs and screenshots.
• Specify issue urgency and describe how it impacts your business operations including examples.
• Identify a point of contact for the issue. To ensure timely resolution, it is helpful to list any communication limits (i.e. not available for calls after 6 PM) as well as specify a secondary point of contact.
• To focus troubleshooting and speed resolution, report one issue per ticket.

Requesting New Features

• For new feature requests for ThreatQ products, submit your request to ThreatQuotient Support.
  • Describe the business need for the request.
  • Provide a use case for the request.
• For assistance in developing and deploying a custom solution, contact ThreatQuotient Sales.

ThreatQ Platform

Audit Threat Library

• Set up a schedule for reviewing system objects to ensure that you remove noise so you can focus on relevant intelligence data.
• Use the bulk delete process to remove system objects. Based on the number of objects to be removed, you may want to break this process into smaller batches.
• Set up configuration driven feeds (CDFs) to use filters where applicable.
• Configure a Data Retention Policy to remove unwanted data on a daily or weekly schedule.

Configure Scoring Algorithms

• Before updating your scoring policy, use the Calculate Impact option in the Scoring tab to evaluate the potential impact. Scoring policy changes can affect a large number of objects and require recalculations that can delay the display of updated scores in the Threat Library. ThreatQuotient does not recommend frequent updates to your scoring policy.
• Focus on relevant threat intelligence by setting up automatic scoring of ingested objects by indicator type, indicator source, attributes, and adversary relationships.
• Periodically review and update your scoring to reflect changes in your industry and organization such as the addition of new intelligence feeds or tools.

Feed Health Emails

• Ensure that at least one user receives in app or email feed health notifications.

Implement User Authentication

• When you first create ThreatQ user IDs, enable your existing LDAP or SAML user authentication rather than creating local user IDs for all users and converting them at a later time.
• In addition to your user authenticated logins, configure at least one local login with administrator rights.

Permission Management

• Assign editor/viewer permissions to data collections, dashboards, and investigations to control who can view or update these resources.

ThreatQ Integrations

ThreatQ Marketplace

• If you do not have a login already, contact ThreatQuotient Support to request a login to the ThreatQ Marketplace.
• Log into the ThreatQ Marketplace to review and download recommended integration updates.
• Use the Sort By option to view a list of new integrations.
• Click the Submit an integration button to submit an integration for review and publication on the ThreatQ Marketplace.
• Periodically review integrations for validity and functionality.

Integration Upgrades

• Sign up for Integration Release notifications via Product Emails.
• User acceptance testing including soak testing.
• Upgrade to the latest integration version as soon as it is available.

New Features

• For custom integration requests, contact ThreatQuotient Sales for assistance. Custom integration requests include new integrations, customer-specific changes to existing integrations, and expedited integration updates.

Recommended Integrations (OSINT)

• National Vulnerability Database (NVD)
• Abuse.Ch Feeds
• Malpedia CDF
• CISA Reports CDF

ThreatQ TDR Orchestrator (TQO)

Configuration

• Use an action’s integration configuration page to populate the default values such as the API key. Users will still have the option to change the API key at the workflow level.

Questions/Comments?

Contact ThreatQuotient Customer Success if you have questions about these best practices guidelines or suggestions for new ones.