Enricher - Cisco Threat Grid#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specifications |
|
---|---|
Enricher name |
Cisco Threat Grid |
Input |
Domain, hashes (hash-md5, hash-sha1, hash-sha256, and hash-sha512), host, IP addresses (ipv4 and ipv6), uri, and winregistry. |
Output |
Enriches supported observable types, as well as all found observables based on the enricher configuration, with information such as IP addresses, domains, host names, samples and hashes, and Windows registry keys. |
API endpoints |
|
Description |
Polls data from the Cisco Threat Grid API. It provides information on a range of cyber threat data like IP addresses, domains, registry keys, network streams, and hash files. |
Note
The default Source reliability value for this enricher is C – Fairly reliable.
You can change it to a different reliability value, as needed.
Requirements#
Users need an API key. Log in to Cisco Umbrella, and then go to the Investigate API Access area to create a new API token.
Configure the enricher parameters#
Edit the enricher.
From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Cisco Threat Grid enricher.
The API URL field is automatically filled in with the default domain for the endpoint.
You can add a proxy or set up ports according to your needs.
Default value:https://panacea.threatgrid.com/api/v3/.
In the API key field, enter your Cisco API token.
Select the Organization only checkbox to enable the enricher to check and display only submitted samples created by the organization the current user belongs to.
That is, the organization needs to be the author of the submitted samples.
When selected, this field is validated against the API key value granting access to the service.In the Max low confidence threat score field, you can set an upper threshold to automatically flag enriched observables with a low confidence value.
After completing the sample analysis, enriched observables with a lower threat score than the specified value are flagged as Malicious - Low confidence.Enter an integer value between 0 and 100.
Default value: 85.
In the Min high confidence threat score field, you can set a bottom threshold to automatically flag enriched observables with high confidence value.
After completing the sample analysis, enriched observables with a higher threat score than the specified value are flagged as Malicious - High confidence.Enter an integer value between 0 and 100.
Default value: 95.
To store your changes, click Save; to discard them, click Cancel.
Enriched observables with a threat score falling in the range defined by Max low confidence threat score (range lower limit) and Min high confidence threat score (range upper limit) are flagged as Malicious - Medium confidence.
Enrichment and processing#
Based on the input observables, the enricher searches the source Cisco Threat Grid database for matches.
Retrieved matches are stored in the platform as enrichment observables related to the corresponding input observable types.
Input observable |
Enrichment results |
Notes |
---|---|---|
domain |
Hash values |
Results include hash values related to malware samples that may use the input domain to propagate. This information helps identify malicious domains related to malware families or strains. |
hash-md5 hash-sha1 hash-sha256 hash-sha512 |
IP addresses Domain names |
Results include IP addresses and domain names that may be infected by malware or vehicles for malware to propagate. This information helps identify malicious domains and IP addresses related to malware families or strains. |
host |
Hash values |
Results include hash values related to malware samples that may reside on the input host. This information helps identify malicious hosts related to malware families or strains. |
ipv4 ipv6 |
Domain names Hash values |
Results include domain name observables referring to malicious domains hosted on the input IP address. This information helps identify malicious domains and malware related to IP addresses. |
uri |
Hash values |
Results include hash values related to malware samples that may use the input URI to propagate. This information helps identify malicious URIs related to malware families or strains. |
winregistry |
IP addresses Domain names |
Results include IP addresses and domain names that may be infected by malware or vehicles for malware to propagate. This information helps identify malicious domains and IP addresses related to malware families or strains. |
Note
Automatic flagging with high/low maliciousness confidence through Cisco Threat Grid supports only the following observable types:
hash-sha1
hash-sha256
hash-md5
uri
By default, the Cisco Threat Grid enricher timeout value is set to 5 minutes.