ThreatQuotient Integration
RST Cloud enhances the data-driven ThreatQuotient Threat Intelligence platform by offering essential features.
The RST Threat Feed provides TAXII collections of Indicators of Compromise (IoCs) at various risk levels, complete with context and attribution to threats and adversaries. Simultaneously, the RST Report Hub delivers intelligence reports sourced from multiple channels. RST Noise Control helps filter out known-good observables, reducing noise during detection and prevention efforts. Additionally, RST IoC Lookup enriches indicators such as IP addresses, domains, URLs, and hashes by adding context, including threat attribution and risk scores. The RST Whois API further enhances domains and URLs with registration information.
For the general information about this integration please refer to the Datasheet.
About this integration
This guide covers integration of the following RST Cloud products with ThreatQ platform:
RST Cloud ThreatQuotient Integration Options
| RST Cloud Product | Option | Description and Link on the ThreatQuotient Marketplace |
|---|---|---|
| RST Threat Feed | STIX/TAXII 2.1 integration | User to subscribe to different TAXII collections and to map them to different score per source (see Scoring Sensitivity Configuration in ThreatQ) |
| RST Report Hub | STIX/TAXII 2.1 integration | User to subscribe to a TAXII collection for RST Report Hub |
| RST Noise Control | RST Noise Control Plugin - Operation | User to select an indicator of interest (IP, Domain, URL, Hash) and enrich it with classification from RST Noise Control |
| RST Noise Control | RST Noise Control - Action | Use it in workflows to automatically check if a collection of indicators is likely to create noise when used for real-time detection or may cause problems when applied for prevention |
| RST IoC Lookup | RST IoC Lookup Plugin - Operation | User to select an indicator of interest (IP, Domain, URL, Hash) and enrich it with data from RST IoC Lookup |
| RST IoC Lookup | RST IoC Lookup - Action | Enrich indicators from different collections using workflows with data from RST Cloud, including risk scores, related threat categories, threat names, CVEs, related industries, TTPs, and other useful information |
| RST Whois API | RST Whois API Plugin - Operation | User to select a Domain or URL and request registration data for the related domain from RST Whois API |
| RST Whois API | RST Whois API - Action | Enrich domain indicators in bulk with real-time domain registration data |
Configuration
Prerequisites:
- TAXII credentials
- Collection IDs
Reach out to RST Cloud team representatives to get this data.
To configure STIX/TAXII integration, navigate to Integrations –> Intelligence Feeds & Connector menu:
Integrate RST Threat Feed
Add New Integration -> Add New TAXII Feed -> RST Threat Feed: High Risk Indicators:
Name of the feed (‘What would you like to name this feed?’): use the name from the table above or another name according to your naming convention
Run Frequency (‘How often would you like to pull new data from this feed?’): Set for example, ‘Every Hour’
Discovery URL: https://taxii.rstcloud.net/taxii2/
Poll URL: https://taxii.rstcloud.net/taxii2/root/collections/[collection_id]
Collection Name: see the table above for connection IDs and Names
Username: use the username provided by RST Cloud
Password: use the password provided by RST Cloud
Verify SSL: if selecting “Yes”, get the certificate from https://taxii.rstcloud.net and copy paste it into the field
Then follow though to the newly created feed and enable it:
Configure custom data expiration parameters Threat Library -> Indicator Expiration. Scroll down till you see the newly created feed and set parameters how to expire the items:
Adjust Scoring Sensitivity configuration by setting a corresponding number for each of the feeds (for example, High – 5, Medium – 3, Low – 1):
Configure scoring decrease for the indicators that are mapped as Revoked (for example, set the score to be decreased by 8):
Repeat the same procedures for all collection the access to you have been given.
Integrate RST Report Hub
Bring intelligence reports into ThreatQ via RST Report Hub follows similar integration scenario. Add New Integration -> Add New TAXII Feed -> RST Report Hub TAXII version: 2.1
Discovery URL: https://taxii.rstcloud.net/taxii2/
Poll URL: https://taxii.rstcloud.net/taxii2/root/collections/[collection_ID]
Collection Name: RST Report Hub
If needed, a custom RST Report Hub collection can be created by RST Cloud team with required filtering. Once the collection is added, enable the feed as per picture below:
Repeat the steps for scoring and indicator expiration adjustments as it is described for RST Threat Feed.
Integrate Enrichment APIs
To utilise enrichment APIs when manually calling Operations, firstly download the following python packages:
- RST IoC Lookup:
https://rstcloud.com/download/threatq/tq_op_rst_ioc_lookup_plugin-1.0.0-py3-none-any.whl
- RST Noise Control:
https://rstcloud.com/download/threatq/tq_op_rst_noise_control_plugin-1.0.0-py3-none-any.whl
- RST Whois API:
https://rstcloud.com/download/threatq/tq_op_rst_whois_api_plugin-1.0.0-py3-none-any.whl
To install Operations, navigate to Integrations –> Operations menu. Select Add New Integration button:
Drag and drop the downloaded files one at a time to install them:
After installation, configure them and set the API keys provided by the RST Cloud team:
To utilise enrichment APIs using automated workflows, download the following YAML connectors:
- RST IoC Lookup:
https://rstcloud.com/download/threatq/rst-ioc-lookup-action.yaml
- RST Noise Control:
https://rstcloud.com/download/threatq/rst-noise-control-action.yaml
- RST Whois API:
https://rstcloud.com/download/threatq/rst-whois-api-action.yaml
To install Actions, upload *.yaml files by navigating to Integrations –> Actions menu. Select Add New Integration button:
Drag and drop the downloaded files one at a time to install them. Finish installation by entering the API keys provided by RST Cloud’ representatives.
Congratulations! You have successfully configured ThreatQ to enable integration with RST Cloud. You can now leverage the threat intelligence data in your security operations.