Cisco AMP Threat Grid Feed

Updated 10 months ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Cisco Threat Grid can ingest reports and indicators from Threat Grid into the enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Cisco Threat Grid and have access to the Threat Grid portal to generate their API key.

Configure Integration

After you have retrieved your Cisco Threat Grid  API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Cisco AMP Threat Grid Feed logo and fill in your API key.
  4. Click Submit.

TruSTAR will validate and enable either or all of the Threat Grid  integrations within 48 hours. You will receive an email from us informing you as soon as it is enabled.

After the integration in enabled you should see reports from Threat Grid being submitted into an enclave you control.

FAQ

What data do you currently pull from Cisco Threat Grid? 

Our integration currently only pulls reports from Threat Grid that have the cyber IOC’s listed below

These include:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY

Please contact us if you would like to discuss additional indicators that can be queried from Threat Grid.

How often is the data pulled?

Our integration retrieves data from  Cisco Threat Grid every 15mins.

Technical Details 

Cisco Threat Grid Analysis Feeds

WorkFlow:

  • Get all events/feeds of IOCs using following IOC Feeds APIs.
  • If severity < 90, tag event using following TAGS API with <IOC value SEVERITY>.
  • For any event, If severity >= 90, Check if event is already tagged with its score(Check it by GET tags API). If event already tagged then get all related events(Use samples/search API to get all related events) and submit events to trustar with tag Retro. Otherwise, tag event based on severity score and submit event to trustar
  • Severity score >= 95, Tag event as Blocked
  • Severity score between 90 to 94, Tag event as Suspicious
Note - Max report submission : 500, Only 100 reports will be considered from each API( IP, Domain, URLs, Artifacts, Registry Key feeds) result.

TAGS API

To create tag of event using sample id, (POST)

https://panacea.threatgrid.com/api/v2/samples/82fbfd50ca339db195a89d4771bf228d/tag?api_key= &tag=74   

  To get tags of event using sample id,

#####replaceparse36#####

Response : 

{

"api_version": 2,

"id": 7933134,

"data": {

"sample": "82fbfd50ca339db195a89d4771bf228d",

"tags": [

{

"tag": "74",

"count": 1,

"mine": true

}

]

}

}

IOC Feeds IP Address Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/ips?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&ip=106.234.82.30&api_key=

Response -

{

"api_version": 2,

"id": 8043059,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"ip": "106.234.82.30",

"port": null,

"timestamp": "2018-01-18T01:35:17Z",

"ioc": "network-communications-smb",

"confidence": 90,

"severity": 90,

"sample_id": "c39b5370357eb0a73377cc8d70885b68",

"sample_sha256": "8c62eb1f53586ff401aa676ef831aff02227c4bbf40841a8db8cc6289bb29f5d"

}

]

}

}

Domain/Hostname Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&domain=google.com&api_key=

Response: 

{

"api_version": 2,

"id": 8043059,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"domain": "google.com",

"timestamp": "2018-01-18T01:35:17Z",

"ioc": "network-communications-smb",

"confidence": 90,

"severity": 90,

"sample_id": "c39b5370357eb0a73377cc8d70885b68",

"sample_sha256": "8c62eb1f53586ff401aa676ef831aff02227c4bbf40841a8db8cc6289bb29f5d"

}

]

}

}

URL Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/urls?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&url=http://www.miglioriaspirapolvere.it:80/wp-content/cache/minify/18550.js&api_key=

Response

{

"api_version": 2,

"id": 6981939,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"url": "http://www.miglioriaspirapolvere.it:80/wp-content/cache/minify/18550.js",

"timestamp": "2018-01-18T01:57:46Z",

"ioc": "network-communications-http-get",

"confidence": 75,

"severity": 75,

"sample_id": "82fbfd50ca339db195a89d4771bf228d",

"sample_sha256": "87f0e85707b026014ac40e915432562af65ac0339cfe50a3b34a53176057689a"

}

]

}

}

Artifact Feed(MD5, SHA1, SHA256) -

https://panacea.threatgrid.com/api/v2/iocs/feeds/artifacts?limit=10&sha256=de9e0b913ef183ff8cb067c539ff64ca3f17c7e826d5f80e0d3453b27834989e&api_key=

TruStar Report content is reported as json formatted.

TruSTAR Report Content Mapping:

Report title - IP <IOC Value> (e.g IP 99.45.72.34)

External id - Encoded value of (IP <<IOC Value>(e.g IP 99.45.72.34))

Report Body - The entire json content received from Cisco Threat grid to be stored as report body.

Time begun - timestamp (2018-01-18T01:35:17Z)

Tags - As per workflow logic(use severity score)

Please reach out to support@trustar.co for any additional questions.

How Did We Do?