Cisco AMP Threat Grid

Updated 2 weeks ago by TruSTAR

This document explains how to set up and use the Cisco AMP Threat Grid premium intelligence source with the TruSTAR Web App.

Cisco Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

  • Source Type: Premium Intel
  • Update Type: Feed-based
  • Update Frequency: 15 minutes
  • Time to Install: 10 minutes

Data Types

The integration pulls these Observables from Cisco Threat Grid:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5


  • Subscription to Cisco AMP Threat Grid
  • Cisco AMP Threat Grid API key.
TruSTAR Admin rights are required to activate this Premium Intelligence feed.

Getting Started

  1. Log into the TruSTAR Web App.
  2. Click the Marketplace icon on the left side menu.
  3. Choose Premium Intel.
  4. Click Subscribe on the Cisco Amp Threat Grid Analysis Feeds box.
  5. Enter your your API key and then click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

TruSTAR Report Mapping




Report Title

IP <IOC Value> Example:

IP XX.45.72.XX

External ID

Encoded value of (IP <<IOC Value>

IP XX.45.72.XX

Report Body

Entire JSON content received from Cisco Threat Grid

Time Begun




As per workflow logic(use severity score)

Known Issues

No reported issues.

Please contact if you have issues with this integration.

How Did We Do?