Overview

ThreatQ (Threat Quotient) is a Threat Intelligence Platform that improves security operations by fusing data sources, tools, and teams to accelerate threat detection and response. ThreatQ’s data-driven security operations platform helps teams prioritize, automate and collaborate on security incidents; enables more focused decision making; and maximizes limited resources by integrating existing processes and technologies into a unified workspace.

The Devo ThreatQ collector retrieves data from its REST API. Particularly, it retrieves events by querying them using their update date as a filter.

Data source description

Listed in the table below are the available events that this collector retrieves. The related remote endpoint for all the data sources listed is the following:

https:/{api_base_url}/api/events/query?limit={limit}&offset={offset}&sort=updated_at

Data source	Table	Description	Available from release
Spearphish	`threatintel.threatquotient.platform.spearphish`	A spearphish is an email or electronic communications scam targeted toward a specific individual, organization, or business. Although often intended to steal data for malicious purposes.	v1.0.0
Watering Hole	`threatintel.threatquotient.platform.wateringhole`	A watering hole is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site.	v1.0.0
SQL Injection Attack	`threatintel.threatquotient.platform.sqlinjectionattack`	An SQL injection is a type of cyber attack in which a hacker uses a piece of SQL (Structured Query Language) code to manipulate a database and gain access to potentially valuable information.	v1.0.0
DoS Attack	`threatintel.threatquotient.platform.dosattack`	A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users.	v1.0.0
Malware	`threatintel.threatquotient.platform.malware`	A Malware is intrusive software that is designed to damage and destroy computers and computer systems.	v1.0.0
Watchlist	`threatintel.threatquotient.platform.watchlist`	Watchlists are lists of values that you can then use to filter information in your dashboard views and reports or as a condition that triggers correlation rules or alarms.	v1.0.0
Command and Control	`threatintel.threatquotient.platform.commandandcontrol`	A command-and-control server is a computer-controlled by an attacker or cybercriminal which is used to send commands to systems compromised by malware and receive stolen data from a target network.	v1.0.0
Anonymization	`threatintel.threatquotient.platform.anonymization`	Anonymization is a data processing technique that removes or modifies personally identifiable information	v1.0.0
Exfiltration	`threatintel.threatquotient.platform.exfiltration`	Exfiltration is a technique used by malicious actors to target, copy, and transfer sensitive data.	v1.0.0
Host Characteristics	`threatintel.threatquotient.platform.hostcharacteristics`	A host is any device that can permit access to a network via the user interface.	v1.0.0
Compromised PKI Certificate	`threatintel.threatquotient.platform.compromisedpkicertificate`	A Public Key Infrastructure certificate is compromised when its value has been disclosed to an unauthorized person or an unauthorized person has had access to it.	v1.0.0
Login Compromise	`threatintel.threatquotient.platform.logincompromise`	A login compromise is an account login performed by a person not authorized to use the account.	v1.0.0
Incident	`threatintel.threatquotient.platform.incident`	An incident is an event that is not part of normal operations that disrupts operational processes. An incident may involve the failure of a feature or service that should have been delivered.	v1.0.0
Sighting	`threatintel.threatquotient.platform.sighting`	Sighting tracks who and what is the target, how attacks are carried out, and to track trends in attack behavior.	v1.0.0
User-Defined event type	`threatintel.threatquotient.platform.userdefined`	A user can also create their own event type.	v1.0.0

Check some additional information on the following websites:

ThreatQ Platform
ThreatQ Help Center (requires authentication, provided when you acquire a ThreatQ license)
ThreatQ REST API’s Authentication (requires authentication, provided when you acquire a ThreatQ license)
ThreatQ REST API’s Event Search endpoint (requires authentication, provided when you acquire a ThreatQ license)

Vendor setup

The ThreatQ Collector works over the ThreatQ’s instance API. During the installation process of the ThreatQ instance, a new user will be created. These credentials or some new ones along with the instance address will be the details needed to configure the Devo collector.

The full installation guide details can be found in ThreatQ’s official documentation (authentication required). In this article, only a few steps to get the instance configured are referenced, so we recommend visiting the official sources for a more detailed explanation.

Devo collector features

Feature	Details
Allow parallel downloading (`multipod`)	Not allowed
Running environments	Collector server, On-premise
Populated events	Standard events

Minimum configuration required for basic pulling

Although this collector supports advanced configuration, the fields required to download data with basic configuration are defined below.

Setting	Details
`threatq_username`	Username to authenticate the service. It must belong to an existing user or the initial one created during the setup.
`threatq_password`	Password to authenticate the service. It must belong to an existing user or the initial one created during the setup.
`verify_host_ssl_cert`	This should be enabled if the ThreatQ's instance has a self-signed certificate. The usual installation steps do not include certificate signing, so this usually should be `false`
`api_base_url`	This parameter defines the URL where the ThreatQ API is available. It has the form of `http{optional_s}://{ip_address_or_domain}{:optional_port}`

Run the collector

Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).

Browser not supported