Introduction
The blog highlights Loginsoft’s expertise in integrating a Threat Intelligence source with ThreatQuotient, enabling organizations to operationalize threat intelligence more effectively. It explains how ThreatQuotient’s platform aggregates, correlates, and prioritizes threat data from multiple sources, and how Loginsoft helps streamline ingestion and normalization, so intelligence becomes actionable across security operations. The focus is on improving visibility, accelerating analysis, and supporting informed response through centralized threat intelligence management.
Key Takeaways
- Loginsoft developed a Configuration Driven Feed (CDF) Integration App using ThreatQ's Open Exchange Framework.
- The app automatically ingests, maps, and enriches threat data with IoCs, relationships, and MITRE ATT&CK TTPs.
- Integrations undergo QA, include user manuals, and require ThreatQuotient Engineering approval.
- Approved apps are published to the ThreatQ marketplace for seamless threat-centric operations.
ThreatQ platform has taken a threat-centric approach to security operations. This approach allows security teams to prioritize based on threat and risk, collaborate across teams, automate actions and workflows, and integrate point products into a single security infrastructure.
ThreatQ Open Exchange includes a Configuration Driven Feed (CDF), Software Development Kit (SDK), easy-to-use Application Programming Interface (API) and a comprehensive set of industry-standard interfaces to fully integrate with the equipment, tools, technologies, people, organizations and processes that protect your business.
Loginsoft developed an Integration App to ingest Threat Intelligence Feed into the ThreatQ platform. Integration App is developed using ThreatQ's Open Exchange Framework that allows building a powerful and robust definitions to ingest Threat Intelligence data from a Feed Provider.
Integration Highlights:
- Integration Development:
- Develop Configuration Driven Feed (CDF) that can be used to ingest a Threat Intelligence Feed
- Configure the new Feed in ThreatQ platform (like providing API Key, Feed Run Frequency etc.)
- Feed will automatically run at a configured interval and pull the data from the Threat Intelligence Source
- Incoming Feed data is mapped to ThreatQ platform specific fields and incoming IoCs with attributes are saved in ThreatQ platform
- Relationships/Associations are established between objects
Example: Associate an MD5 (123456789abcdefghijklmnopqrstuvw) with an Adversary (APT40) - MITRE ATT&CK information, if any, is saved as Tactics, Techniques and Procedures (TTPs) in ThreatQ platform
- Complete Quality Assurance (QA) process
- Create User Manual
- Package deliverables -YAML File and User Manual
2. Submit Integration for Approval:
Integration is submitted to ThreatQuotient’s Engineering team for approval. This includes providing Feed Details, Publisher, Feed Type (Commercial or Open Source Intelligence), Vendor Logo, YAML file and User Manual
- ThreatQuotient’s Engineering Review and Approval:
Validation of the integration against the CDF Best Practices listInspection of submitted data mappings and the CDF for data integrity concerns and general user experience and usabilityGeneral Feed Run performanceSubmitted data mappings are converted into a ThreatQ Help Center documentAfter final tweaks, the CDF will be considered Approved and merged to Engineering’s Feed Definitions repository
- Integration Release:
Approved Integration is published to the ThreatQ marketplace https://marketplace.threatq.com/
Here is a look inside the ThreatQ platform with the Threat Intelligence Feed added.
Sample screen that shows ThreatQ’s Threat Library (like Adversaries, Attack Patterns, Campaigns, Indicators, Intrusion Sets, Malware, Signatures, TTPs and Vulnerabilities etc.).
Sample IP Address Indicator with Attributes.
Conclusion
Integrating a Threat Intelligence source with ThreatQuotient is essential for transforming disparate threat feeds into actionable intelligence. The blog shows how Loginsoft’s integration capabilities help organizations streamline ingestion, enhance correlation, and prioritize threats effectively within ThreatQuotient’s platform. This approach strengthens security operations by enabling quicker insights, better decision-making, and more efficient response to evolving threats.
FAQ
Q1. What is ThreatQuotient used for?
ThreatQ serves as a central hub for managing and operationalizing threat intelligence, it integrates data from multiple sources, prioritizes genuine risks, automates responses, and facilitates team collaboration, reducing alert fatigue while accelerating detection and response to threats like malware, phishing, and ransomware for more efficient security operations.
Q2. Why integrate a Threat Intelligence source with ThreatQuotient?
Integrating threat intelligence (TI) sources with ThreatQ centralizes and operationalizes diverse data feeds, it aggregates indicators, enriches context, prioritizes real risks, and automates workflows, seamlessly connecting with SIEMs and SOARs to cut noise, speed detection and investigations.
Q3. How does Loginsoft support ThreatQuotient integrations?
Loginsoft helps with ingestion, normalization, and correlation of threat intelligence sources into the ThreatQuotient platform.
Q4. Can multiple threat intelligence sources be integrated into ThreatQuotient?
Yes. ThreatQuotient is designed to ingest and manage multiple threat intelligence sources within a single platform.
Get Notified
BLOGS AND RESOURCES
