Cisco AMP Threat Grid Indicator Query

Updated 5 months ago by Elvis Hovor

This document explains how to set up and use Cisco Threat Grid Indicator Query with TruSTAR Station.

Cisco Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.

  • Source Type: Premium Intel
  • Update Type: Query-based
  • Time to Install: 10 minutes

Data Types

The integration pulls reports from Threat Grid that have the observables listed below:

  • IP
  • Domain
  • URL (Domains are extracted from URL)
  • SHA256
  • SHA1
  • MD5
  • REGISTRY_KEY

Requirements

  • A license for Cisco Threat Grid.
  • Access to the Threat Grid portal to generate an API key.
TruSTAR Admin rights are required to activate this Premium Intel feed.

Getting Started

  1. Log into TruSTAR Station.
  2. Click the Marketplace icon on the left side icon list.
  3. Choose Premium Intel.
  4. Click Subscribe on the Cisco Threat Grid Indicator Query box.
  5. Enter your Cisco API key and click Save Credentials & Request Subscription.

TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.

TruSTAR Report Mapping

Field 

Explanation

Example

Report Title

IP <IOC Value>

IP XX.45.72.XX

External ID

Encoded value of (IP <<IOC Value>

IP XX.45.72.XX

Report Body

Entire JSON content received from Cisco Threat Grid

Time Begun

Timestamp

2019-01-18T01:35:17Z

Tags

As per workflow logic(use severity score)

Known Issues

No reported issues.

Please reach out to support@trustar.co if you have issues with this integration.


How Did We Do?