Current ThreatQ Version Filter
 

Integration Types

ThreatQ integrations include Actions, Apps, Configuration-Driven Feeds (CDFs), Custom Connectors, and Operation. This topic will highlight specific information about each type of integration.

Actions

ThreatQ Actions are YAML snippets, utilized by ThreatQ TDR, that you can use to build custom workflows to enrich the data in a specified data collection.  See the ThreatQ TDR Orchestrator (TQO) section for more information.  

Apps

ThreatQ Apps are designed to operate outside of the ThreatQ platform.  The app communicates with third-party applications, such as QRadar and Splunk, and executes user-defined actions.  This can result in information being push to and from the third-party application and your ThreatQ instance.  Threat intelligence information from these actions can then be ingested back into ThreatQ.  

Configuration-Driven Feeds (CDFs)

ThreatQ Configuration-Driven Feeds, CDFs, utilize one or more threat intelligence endpoints for a provider.  You can configure what type of information and how you will ingest it into the ThreatQ platform.  CDFs fall under one of two categories on the ThreatQ My Integrations page:

  • Commercial - Commercial CDFs are provided by paid feed providers as a service. To enable these integrations in ThreatQ, you will need an API ID or API Key from the provider. Commercial CDFs typically provide highly contextual threat intelligence data. You can learn more about available CDFs on the ThreatQ Marketplace.
  • OSINT - OSINT CDFs are open source threat intelligence feeds. Open source feeds are free to use, but some may require you to register with the feed provider to attain an API Key.

CDFs override indicator statuses to the default status defined in the CDF and override signature statuses to a default value of Active.

Custom Connectors

ThreatQ Custom Connectors are driven by ThreatQuotient’s Threat Intelligence Services Team and provides a solution for data ingestion that is not provided by existing CDFs available on the ThreatQ Marketplace.

Custom Connectors are typically installed via the command line interface and usually require a CRON job to be created to manage connector runs.  

Once installed, Custom Connectors are located under the Labs category dropdown on the My Integrations page.  

Operations

ThreatQ Operations enhance your threat intelligence data by allowing you to add attributes, as well as related indicators, from third party security services, both commercial and open source. You accomplish this by creating objects to connect to a desired service, receive threat intelligence, and display that threat intelligence in ThreatQ.

Installed operation will appear under the Operations option for the Type dropdown in the My Integration filters.  You can execute operations from a threat object's details page - see the Running an Operation topic for more details.