Current ThreatQ Version Filter
 

About Air Gapped Data Sync (AGDS)

Air Gapped Data Sync (AGDS) allows you to transfer data from a source ThreatQ installation to a target air gapped ThreatQ installation. ThreatQ defines an air gapped system as one that is not connected to a public network. This means that external feed ingestion does not occur on the air gapped installation.

ThreatQ recommends that you consult with ThreatQ Support or a Threat Intelligence Engineer prior to performing an Air Gapped Data Sync.

An Air Gapped Data Sync consists of two synchronization commands:

  • threatq:sync-export - The read command that copies data from the source ThreatQ installation
  • threatq:sync-import - The write command that copies data to the target ThreatQ installation

If you are using LDAP or SAML authentication on your Source ThreatQ instance, and require users transferred via import to have authentication capabilities on your Target ThreatQ instance, then you must enable the same authentication method on your Target ThreatQ instance before performing an import.

Do not deviate from or change the following deployment details and configurations without first consulting ThreatQuotient. Any deviation from ThreatQuotient recommended settings could result in system and platform instability, may render the system non-operational, and is not supported.

System Requirements

To use Air Gapped Data Sync, ThreatQ installations must meet the following requirements:

  • ThreatQ v4.15 or later must be installed.
  • All ThreatQ installations must run the same software version.
  • All ThreatQ installations must be set to the correct time, time zone, and date, and use a clock source available to all. UTC is recommended.
  • All ThreatQ installations must run the same software version.
  • All ThreatQ installations must be set to UTC.

New Installs

See the ThreatQ Platform Air Gapped Installation Guide for for detailed information on new installs of ThreatQ on an air gapped device. 

Air Gapped Data Sync (AGDS) and Investigation Sharing

The AGDS export process does not include Data Collections or Dashboards, but it can include Investigations if you add the following parameter:

--include-investigations=Y

The AGDS export/import process transfers users from an outside system to an air gapped system, but only for the purpose of maintaining them as sources. These users are automatically disabled on the air gapped system. As such any permissions assigned to these users will be invalid on the air gapped system, so permissions are not transferred as part of the AGDS export process.

When you run the AGDS import process on the target box, ownership of any new Investigation is assigned to the most recently created admin or super user. This owner is responsible for assigning permissions to other users on the air gapped system. The import process does not apply any changes to existing permissions even if the Investigation receives updates.

Air Gapped Data Sync (AGDS) and User Accounts

The AGDS export/import process transfers user accounts to the air-gapped system because they are also used as Sources. These user accounts are automatically set to disabled on the air-gapped system.  Since these roles are disabled on the air-gapped system, any associated custom roles are excluded from the AGDS export/import process.