Cisco AMP Threat Grid Indicator Query
This document explains how to set up and use Cisco Threat Grid Indicator Query with TruSTAR Station.
Cisco Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware.
- Time to Install: 10 minutes
- Type of Feed: Query-based
- Update Frequency: 15 minutes
- Intel Type: Premium Feed
The integration pulls reports from Threat Grid that have the observables listed below:
- URL (Domains are extracted from URL)
- A license for Cisco Threat Grid.
- Access to the Threat Grid portal to generate an API key.
- Log into TruSTAR Station.
- Click the Marketplace icon on the left side icon list.
- Choose Closed Sources.
- Click Subscribe on the Cisco Threat Grid Indicator Query box.
- Enter your Cisco API key and click Save Credentials & Request Subscription.
TruSTAR will validate the integration within 48 hours and send an email when the integration has been enabled.
TruSTAR Report Mapping
IP <IOC Value> Example: IP 188.8.131.52
Encoded value of (IP <<IOC Value> Example: IP 184.108.40.206
Entire JSON content received from Cisco Threat Grid
Timestamp Example: 2018-01-18T01:35:17Z)
As per workflow logic(use severity score)
No reported issues.