Enricher - Cisco Threat Grid


This article describes the specific configuration options to set up the enricher.
To configure the general options for the enricher, see Configure the general options.


Specifications

Enricher name

Cisco Threat Grid

Input

Domain, hashes (hash-md5, hash-sha1, hash-sha256, and hash-sha512), host, IP addresses (ipv4 and ipv6), uri, and winregistry.

Output

Enriches supported observable types, as well as all found observables based on the enricher configuration, with information such as IP addresses, domains, host names, samples and hashes, and Windows registry keys.

API endpoints

https://panacea.threatgrid.com/api/v3/

Description

Polls data from the Cisco Threat Grid API. It provides information on a range of cyber threat data like IP addresses, domains, registry keys, network streams, and hash files.

The default Source reliability value for this enricher is C – Fairly reliable.
You can change it to a different reliability value, as needed.

Requirements

Users need an API key. Log in to Cisco Umbrella, and then go to the Investigate API Access area to create a new API token.

Configure the enricher parameters

  1. Edit the enricher.

  2. From the Observable types drop-down menu, select one or more observable types you want to enrich with data retrieved through the Cisco Threat Grid enricher.

  3. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://panacea.threatgrid.com/api/v3/.

  4. In the API key field, enter your Cisco API token.

  5. Select the Organization only checkbox to enable the enricher to check and display only submitted samples created by the organization the current user belongs to.
    That is, the organization needs to be the author of the submitted samples.
    When selected, this field is validated against the API key value granting access to the service.

  6. In the Max low confidence threat score field, you can set an upper threshold to automatically flag enriched observables with a low confidence value.
    After completing the sample analysis, enriched observables with a lower threat score than the specified value are flagged as Malicious - Low confidence.

    • Enter an integer value between 0 and 100.

    • Default value: 85.

  7. In the Min high confidence threat score field, you can set a bottom threshold to automatically flag enriched observables with high confidence value.
    After completing the sample analysis, enriched observables with a higher threat score than the specified value are flagged as Malicious - High confidence.

    • Enter an integer value between 0 and 100.

    • Default value: 95.

  8. To store your changes, click Save; to discard them, click Cancel.

Enriched observables with a threat score falling in the range defined by Max low confidence threat score (range lower limit) and Min high confidence threat score (range upper limit) are flagged as Malicious - Medium confidence.

Enrichment and processing

Based on the input observables, the enricher searches the source Cisco Threat Grid database for matches.

Retrieved matches are stored in the platform as enrichment observables related to the corresponding input observable types.

Input observable

Enrichment results

Notes

domain

Hash values

Results include hash values related to malware samples that may use the input domain to propagate.

This information helps identify malicious domains related to malware families or strains.

hash-md5

hash-sha1

hash-sha256

hash-sha512

IP addresses

Domain names

Results include IP addresses and domain names that may be infected by malware or vehicles for malware to propagate.

This information helps identify malicious domains and IP addresses related to malware families or strains.

host

Hash values

Results include hash values related to malware samples that may reside on the input host.

This information helps identify malicious hosts related to malware families or strains.

ipv4

ipv6

Domain names

Hash values

Results include domain name observables referring to malicious domains hosted on the input IP address.

This information helps identify malicious domains and malware related to IP addresses.

uri

Hash values

Results include hash values related to malware samples that may use the input URI to propagate.

This information helps identify malicious URIs related to malware families or strains.

winregistry

IP addresses

Domain names

Results include IP addresses and domain names that may be infected by malware or vehicles for malware to propagate.

This information helps identify malicious domains and IP addresses related to malware families or strains.

Automatic flagging with high/low maliciousness confidence through Cisco Threat Grid supports only the following observable types:

  • hash-sha1

  • hash-sha256

  • hash-md5

  • uri

By default, the Cisco Threat Grid enricher timeout value is set to 5 minutes.

See also