Cisco AMP Threat Grid Feed

Updated 6 days ago by Elvis Hovor

This document explains how to set up and use the Cisco AMP Threat Grid intel feed.

  • Time to Install: 10 minutes
  • Type of Feed: Automatic updates
  • Update Frequency: 15 minutes
  • Source Type: Closed Feed

Requirements

  • Subscription to Cisco AMP Threat Grid
  • Cisco AMP Threat Grid API key.
TruSTAR Admin rights are required to activate this closed source feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side menu.
  1. Choose Closed Sources.
  2. Click Subscribe on the Cisco Amp Threat Grid Analysis Feeds box.
  1. Enter your your API key and then click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

Report Mapping

Field 

Explanation

Report Title

IP <IOC Value> Example: IP 99.45.72.34

External ID

Encoded value of (IP <<IOC Value> Example: IP 99.45.72.34

Report Body

Entire JSON content received from Cisco Threat Grid

Time Begun

Timestamp Example: 2018-01-18T01:35:17Z)

Tags

As per workflow logic(use severity score)

FAQ

Q. What data is pulled from Threat Grid? 

A. The integration pulls reports from Threat Grid that have the IOCs listed below:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY

Contact TruSTAR Support to discuss additional indicators that can be queried.

Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.

Technical Details 

Cisco Threat Grid Analysis Feeds

WorkFlow:

  • Get all events/feeds of IOCs using following IOC Feeds APIs.
  • If severity < 90, tag event using following TAGS API with <IOC value SEVERITY>.
  • For any event, If severity >= 90, Check if event is already tagged with its score(Check it by GET tags API). If event already tagged then get all related events(Use samples/search API to get all related events) and submit events to trustar with tag Retro. Otherwise, tag event based on severity score and submit event to trustar
  • Severity score >= 95, Tag event as Blocked
  • Severity score between 90 to 94, Tag event as Suspicious
Note - Max report submission : 500, Only 100 reports will be considered from each API( IP, Domain, URLs, Artifacts, Registry Key feeds) result.

TAGS API

To create tag of event using sample id, (POST)

https://panacea.threatgrid.com/api/v2/samples/82fbfd50ca339db195a89d4771bf228d/tag?api_key= &tag=74   

  To get tags of event using sample id,

#####replaceparse36#####

Response : 

{

"api_version": 2,

"id": 7933134,

"data": {

"sample": "82fbfd50ca339db195a89d4771bf228d",

"tags": [

{

"tag": "74",

"count": 1,

"mine": true

}

]

}

}

IOC Feeds IP Address Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/ips?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&ip=106.234.82.30&api_key=

Response -

{

"api_version": 2,

"id": 8043059,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"ip": "106.234.82.30",

"port": null,

"timestamp": "2018-01-18T01:35:17Z",

"ioc": "network-communications-smb",

"confidence": 90,

"severity": 90,

"sample_id": "c39b5370357eb0a73377cc8d70885b68",

"sample_sha256": "8c62eb1f53586ff401aa676ef831aff02227c4bbf40841a8db8cc6289bb29f5d"

}

]

}

}

Domain/Hostname Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/domains?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&domain=google.com&api_key=

Response: 

{

"api_version": 2,

"id": 8043059,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"domain": "google.com",

"timestamp": "2018-01-18T01:35:17Z",

"ioc": "network-communications-smb",

"confidence": 90,

"severity": 90,

"sample_id": "c39b5370357eb0a73377cc8d70885b68",

"sample_sha256": "8c62eb1f53586ff401aa676ef831aff02227c4bbf40841a8db8cc6289bb29f5d"

}

]

}

}

URL Feed -

https://panacea.threatgrid.com/api/v2/iocs/feeds/urls?limit=10&after=2018-01-18T00:00:00&before=2018-01-18T02:00:00&confidence=75&severity=75&url=http://www.miglioriaspirapolvere.it:80/wp-content/cache/minify/18550.js&api_key=

Response

{

"api_version": 2,

"id": 6981939,

"data": {

"index": 0,

"current_item_count": 1,

"items_per_page": 10,

"items": [

{

"url": "http://www.miglioriaspirapolvere.it:80/wp-content/cache/minify/18550.js",

"timestamp": "2018-01-18T01:57:46Z",

"ioc": "network-communications-http-get",

"confidence": 75,

"severity": 75,

"sample_id": "82fbfd50ca339db195a89d4771bf228d",

"sample_sha256": "87f0e85707b026014ac40e915432562af65ac0339cfe50a3b34a53176057689a"

}

]

}

}

Artifact Feed(MD5, SHA1, SHA256) -

https://panacea.threatgrid.com/api/v2/iocs/feeds/artifacts?limit=10&sha256=de9e0b913ef183ff8cb067c539ff64ca3f17c7e826d5f80e0d3453b27834989e&api_key=

TruStar Report content is reported as json formatted.

How Did We Do?