Cisco AMP Threat Grid Indicator Query

Updated 1 month ago by Elvis Hovor

Introduction

TruSTAR is a threat intelligence platform designed to accelerate incident analysis process and exchange of intelligence among various internal and external teams. This document provides a description of how paying customers of Cisco Threat Grid can ingest reports and indicators from Threat Grid into the enclave in TruSTAR and correlate with other data sources stored in their TruSTAR enclaves. 

Prerequisites

This integration requires TruSTAR users to be paying customers of Cisco Threat Grid and have access to the Threat Grid portal to generate their API key.

Configure Integration

After you have retrieved your Cisco Threat Grid  API key follow these steps:

  1. Log into TruSTAR Station and go the Explore->Marketplace (https://station.trustar.co/browse/marketplace).
  2. Click on Closed Sources.
  3. Click on Cisco AMP Threat Grid Indicator Query  logo and fill in your API key.

  4. Click Submit.

TruSTAR will validate and enable the Threat Grid  integrations within 48 hours. You will receive an email from us informing you as soon as it is enabled.


For Cisco Threat Grid Indicator query indicators from reports submitted into into your private enclave will be queried against Cisco Threat Grid and enrichment will be submitted into an enclave you control.

    FAQ

        How often is the data pulled?

        Our integration retrieves data from  Cisco Threat Grid every 15mins.

        Technical Details 

        Cisco Threat Grid indicators query

        For IP:

        https://panacea.threatgrid.com/api/v2/search/ips?api_key==cidr&query=52.85.107.111

        Response:

        { "api_version": 2,

        "id": 7977325, "data": {

        "index": 0, "items_per_page": 100,

        "current_item_count": 1, "items": [

        { "result": "52.85.107.111",

        "details": "/api/v2/ips/52.85.107.111" }

        ] }

        }

        <code class="inline-code">Based on above response get details value(url - /api/v2/ips/52.85.107.111) of each item and get data from below API.</code>

        https://panacea.threatgrid.com/api/v2/ips/52.85.107.111?api_key=

        .Response:

        {

        "api_version": 2,

        "id": 802340,

        "data": {

        "ip": "52.85.107.111",

        "asn": {

        "asn": 16509,

        "org": "Amazon.com, Inc."

        },

        "location": {

        "country": "US",

        "region": "WA",

        "city": "Seattle"

        },

        "rev": "server-52-85-107-111.jax1.r.cloudfront.net",

        "flags": [],

        "tags": []

        }

        }

        For URL:

        https://panacea.threatgrid.com/api/v2/search/urls?api_key= &term=url&query=http://www.miglioriaspirapolvere.it:80/wp-content/cache/minify/18550.js

        For Registry Key:

        https://panacea.threatgrid.com/api/v2/search/registry_keys?api_key= &term=key&query=<reg_key_name>

        For Domain: 

        https://panacea.threatgrid.com/api/v2/search/domains?api_key=&term=domain&query=google.com

        For Artifact:

        https://panacea.threatgrid.com/api/v2/search/artifacts?api_key=&term=sha256&query=1717d3fcf93ac9b04a9f22124264b3f764cfe851914e9e12605f4354f6c1ba58

        TruSTAR Report content should be reported as JSON formatted.

        TruSTAR Report Content Mapping:

        • Report title - IP <IOC Value> (e.g IP 99.45.72.34)
        • External id - IP<<IOC Value>(e.g IP99.45.72.34)
        • Report Body - The entire JSON content received from Cisco Threat grid to be stored as report body.

        TruStar Report content is reported as json formatted.

        TruSTAR Report Content Mapping:

        Report title - IP <IOC Value> (e.g IP 99.45.72.34)

        External id - Encoded value of (IP <<IOC Value>(e.g IP 99.45.72.34))

        Report Body - The entire json content received from Cisco Threat grid to be stored as report body.

        Time begun - timestamp (2018-01-18T01:35:17Z)

        Tags - As per workflow logic(use severity score)

        Please reach out to support@trustar.co for any additional questions.



        How Did We Do?