Adding TQO Actions Transcript 1 00:00:10.593 --> 00:00:17.017 TQO actions are YAML snippets you can use to enrich the data specified by your workflows data collection. 2 00:00:17.267 --> 00:00:23.314 Actions are not designed to run by themselves, but instead be inserted into your enrichment workflows. 3 00:00:23.940 --> 00:00:29.612 ThreatQ uses a naming convention to convey how many actions are contained in an integration. 4 00:00:30.071 --> 00:00:33.992 Bundles indicate that two or more actions are included in the YAML file. 5 00:00:34.617 --> 00:00:41.666 To install a TQO Action, first review the action’s individual user guide located on the ThreatQ Help Center. 6 00:00:42.125 --> 00:00:50.508 Confirm that you have met all requirements, including any required custom objects or third-party libraries covered in the prerequisites section. 7 00:00:51.051 --> 00:00:54.095 Download the action from the ThreatQ marketplace. 8 00:00:54.721 --> 00:00:57.682 The standard format for these downloads will be a zip file. 9 00:00:58.058 --> 00:01:04.230 The zip file contains the action YAML file and an icon that will be displayed in TQO workflows. 10 00:01:04.689 --> 00:01:10.028 TQO actions are the only integrations that can be installed by uploading a zip file. 11 00:01:10.570 --> 00:01:18.453 f the action requires a custom object, extract those files from the zip file and follow the steps in the guide to install the object. 12 00:01:18.953 --> 00:01:22.999 Custom objects cannot be installed using the ThreatQ user interface. 13 00:01:24.125 --> 00:01:29.756 Navigate to your ThreatQ instance, click on the integrations heading, and select the actions option. 14 00:01:30.924 --> 00:01:35.095 The My Integrations page will load with the view filtered to TQO actions. 15 00:01:35.678 --> 00:01:39.432 Click on Add New Integration to open the add new integration modal. 16 00:01:39.974 --> 00:01:45.980 Upload your action zip file by clicking and dragging it onto the modal or using the Click to browse option. 17 00:01:46.731 --> 00:01:51.694 If you are installing an action bundle, you will be prompted to select which actions to install. 18 00:01:55.281 --> 00:02:04.499 If you are updating an existing action, the platform will inform you that the action already exists on the platform and will require your confirmation before proceeding. 19 00:02:05.333 --> 00:02:11.172 ThreatQ will also inform you if the new version of the action contains changes to the user configuration. 20 00:02:12.006 --> 00:02:18.638 The new user configurations will overwrite the existing ones for the action and will require your confirmation before proceeding. 21 00:02:21.391 --> 00:02:24.352 The action will now be installed on your ThreatQ instance. 22 00:02:25.353 --> 00:02:29.315 Click on the integration card for the action to access its configuration page. 23 00:02:29.899 --> 00:02:32.569 Complete the required parameter fields for the action. 24 00:02:33.319 --> 00:02:39.701 The configurations set on this page will be used as the default settings when inserting this action into a new workflow. 25 00:02:40.410 --> 00:02:47.917 Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. 26 00:02:48.626 --> 00:02:53.173 In that scenario, you must update the action’s configuration within the workflow itself. 27 00:02:53.923 --> 00:03:01.306 Also, any changes made to an action’s configuration within a workflow will not affect the default configurations for the action itself. 28 00:03:02.348 --> 00:03:05.685 Once you have completed the default configurations, click on save. 29 00:03:06.603 --> 00:03:11.649 Your TQO action is now installed and configured for use with your TQO workflows.