Contents x
      ThreatConnect TIP 2.2.2
      • 23 Jun 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Contents

      ThreatConnect TIP 2.2.2

      • Updated on 23 Jun 2022
      • 2 Minutes to read
      • Dark
        Light
      • PDF
      Article summary

      tags: python | Indicator Enrichment | Threat Intelligence Platform | Cyber Risk Quantification

      Description

      Integration with the ThreatConnect Threat Intelligence Platform (TIP) is created to support CDC users by providing enrichments consisting of IOCs and other threat intelligence related information. This enables CDC users to make informed decisions regarding Incident response.

      The ThreatConnect TIP centralizes and operationalizes thousands of sources of intelligence for streamlined investigation and faster threat blocking. IOCs and other threat indicators are enriched using digital assets and prioritized by severity, bringing context and clarity to threat feeds. It helps by finding and using relevant intelligence, measuring risk based on current known vulnerabilities, and using threat intelligence for detection.

      This integration was completed with the help of ThreatConnect. This involves the TcEX framework, which enables accessing information from the ThreatConnect platform.

      We use custom adaptive cards to display large amounts of threat data in a meaningful intuitive GUI, to facilitate easy understanding of complex threat intelligence data.

      We have provided a single CLI command to cater to different parameters. Users only need to change the parameters, and corresponding results will be shown in the custom adaptive card. Additionally, with the help of auto enrichment, similar threat intelligence information is also made available as observables.

      Integration Type:Threat Intelligence Enrichment
      Information Enriched:Threat intelligence information for parameters like IP Address/URL/Hash values, etc.
      API Supported:TcEX Framework based on RestAPI
      Input:One of the parameters from the following list: "Address", "File", "Url", "Host", "EmailAddress", "ASN", "CIDR", "Mutex", "Registry Key", "User Agent.
      Output:Detailed enrichment consisting of IOCs and other threat indicators-related information of provided input parameters.

      Customer Configuration

      No customer configuration

      CDC Command Lines

      * **enrich_indicator_by_tc_id_cli**
      This CLI provides the capability to enrich the indicator/observable-related information from ThreatConnect TIP for the specified observable or ThreatConnect ID (tc_id), provided as a parameter in the CLI

      OptionTypeDescriptionRequired
      iocAnyobservable data or tc ID.True

      * **enrich_pre_define_indicator_cli**
      This CLI provides the capability to enrich the indicator-related information from ThreatConnect TIP, for the specific indicator type and value provided as a parameter in the CLI.

      OptionTypeDescriptionRequired
      indicator_valuestringindicator value for various indicator type.True
      indicator_typestringIndicator value from Address, Url, EmailAddress, File, Host, User Agent, Registry Key, Mutex, ASN and CIDRTrue

      Workflows

      * **enrich_by_id_workflow**
      Enrich by ID workflow

      * **post_enrich_pre_define_indicator**
      Post enrich-pre-define-indicator in the CDC, by the ID of the incident/message/channel.

      Rules

      No rules

      Sensors

      No sensors

      Triggers

      No triggers

      Known Issues

      No known issues

      Was this article helpful?
      What's Next