ThreatQ platform has taken a threat-centric approach to security operations. This approach allows security teams to prioritize based on threat and risk, collaborate across teams, automate actions and workflows, and integrate point products into a single security infrastructure.
ThreatQ Open Exchange includes a Configuration Driven Feed (CDF), Software Development Kit (SDK), easy-to-use Application Programming Interface (API) and a comprehensive set of industry-standard interfaces to fully integrate with the equipment, tools, technologies, people, organizations and processes that protect your business.
Loginsoft developed an Integration App to ingest Threat Intelligence Feed into the ThreatQ platform. Integration App is developed using ThreatQ's Open Exchange Framework that allows building a powerful and robust definitions to ingest Threat Intelligence data from a Feed Provider.
Integration Highlights:
- Integration Development:
- Develop Configuration Driven Feed (CDF) that can be used to ingest a Threat Intelligence Feed
- Configure the new Feed in ThreatQ platform (like providing API Key, Feed Run Frequency etc.)
- Feed will automatically run at a configured interval and pull the data from the Threat Intelligence Source
- Incoming Feed data is mapped to ThreatQ platform specific fields and incoming IoCs with attributes are saved in ThreatQ platform
- Relationships/Associations are established between objects
Example: Associate an MD5 (123456789abcdefghijklmnopqrstuvw) with an Adversary (APT40) - MITRE ATT&CK information, if any, is saved as Tactics, Techniques and Procedures (TTPs) in ThreatQ platform
- Complete Quality Assurance (QA) process
- Create User Manual
- Package deliverables -YAML File and User Manual
2. Submit Integration for Approval:
Integration is submitted to ThreatQuotient’s Engineering team for approval. This includes providing Feed Details, Publisher, Feed Type (Commercial or Open Source Intelligence), Vendor Logo, YAML file and User Manual
- ThreatQuotient’s Engineering Review and Approval:
Validation of the integration against the CDF Best Practices listInspection of submitted data mappings and the CDF for data integrity concerns and general user experience and usabilityGeneral Feed Run performanceSubmitted data mappings are converted into a ThreatQ Help Center documentAfter final tweaks, the CDF will be considered Approved and merged to Engineering’s Feed Definitions repository
- Integration Release:
Approved Integration is published to the ThreatQ marketplace https://marketplace.threatq.com/
Here is a look inside the ThreatQ platform with the Threat Intelligence Feed added.
Sample screen that shows ThreatQ’s Threat Library (like Adversaries, Attack Patterns, Campaigns, Indicators, Intrusion Sets, Malware, Signatures, TTPs and Vulnerabilities etc.).
Sample IP Address Indicator with Attributes.
