ThreatQuotient ThreatQ

the threatquotient threatq connector facilitates the automation of threat intelligence operations by enabling seamless integration with the threatq platform threatquotient threatq is a threat intelligence platform that aggregates, correlates, and analyzes threat data to provide actionable insights this connector enables swimlane turbine users to automate the ingestion and management of threat intelligence, streamline event and indicator handling, and enhance security operations with enriched data by integrating with threatquotient threatq, users can create and manage events, indicators, and import sessions, as well as perform detailed searches and updates, all within the swimlane turbine environment prerequisites before integrating threatquotient threatq with swimlane turbine, ensure you have the following oauth 2 0 authentication credentials with the following parameters url the endpoint url for threatq api access api user email the email associated with your threatq account client password your password for oauth client authentication oauth client id the client id provided by threatq for oauth setup api type the specific api type or version supported by threatq capabilities the threatquotient connector has the following capabilities create event create indicators list delete import indicator get event list get indicators list get indicator by id import events indicator search indicator search with value indicators query update import indicator configurations oauth password grant authenticates using oauth 2 0 client credentials configuration parameters parameter description type required url a url to the target host string required email the username for authentication string required password the password for authentication string required clientid client id of threatq oauth string required api type authentication is different for standard and beta versions of threatq api string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions create event initiates the creation of a new event in threatquotient threatq using provided json body data endpoint url api/events method post input argument name type required description title string optional parameter for create event type string optional type of the resource happened at string optional parameter for create event sources array optional parameter for create event sources name string optional name of the resource sources tlp object optional parameter for create event sources tlp name string optional name of the resource input example {"json body" {"title" "event name","type" "spearphish","happened at" "2017 03 20 01 43 05","sources" \[{"name" "event source","tlp" {"name" "amber"}}]}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data title string response data data type id number response data data happened at string response data data hash string response data data updated at string response data data created at string response data data id number response data data type object response data data type id number response data data type name string response data data type user editable string response data data type created at string response data data type updated at string response data data sources array response data data sources type string response data data sources name string response data data sources updated at string response data data sources created at string response data data sources id number response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"title" "event name","type id" 1,"happened at" "2017 03 20 01 43 05","hash" "e59c3274f3156b10aca1c8962a5880cb","updated at" "2017 03 20 13 35 13","created at" "2017 03 20 13 35 13","id" 601,"type" {},"sources" \[]}}} create indicators list generates a new list of indicators in threatquotient threatq based on the provided json body endpoint url api/indicators method post input argument name type required description parameters limit number optional parameters for the create indicators list action parameters offset number optional parameters for the create indicators list action parameters sort string optional parameters for the create indicators list action parameters with string optional parameters for the create indicators list action input example {"parameters" {"limit" 100,"offset" 100,"sort" "id","with" "adversaries,attachments"},"json body" \[{"class" "network","value" "115 47 67 155","type id" "10","status id" 2,"sources" \[{"name" "source","tlp" {"name" "green"},"published at" "2016 07 18 02 00 00"}],"attributes" \[{"name" "confidence","value" "high","sources" \[{"name" "source","tlp" {"name" "green"},"published at" "2016 07 18 02 00 00"}]},{"name" "port","value" "4000"},{"name" "scheme","value" "https"}]}]} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data type id number response data data status id number response data data class string response data data hash string response data data value string response data data last detected at object response data data expires at object response data data expired at object response data data expires calculated at object response data data created at string response data data updated at string response data data touched at string response data data existing string response data data type object response data data type id number response data data type name string response data data type class string response data data type score object response data data type wildcard matching string response data data type created at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 1,"data" \[{}]}} delete import indicator removes a specific indicator from an import session in threatquotient threatq using the import id and indicator id endpoint url api/imports/{{import id}}/indicators/{{import indicator id}} method delete input argument name type required description path parameters import id number required parameters for the delete import indicator action path parameters import indicator id number required parameters for the delete import indicator action input example {"path parameters" {"import id" 1,"import indicator id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 204,"response headers" {},"reason" "ok"} get event list retrieve a list of security events from threatquotient threatq with options for filtering and sorting endpoint url api/events method get input argument name type required description parameters limit number optional parameters for the get event list action parameters offset number optional parameters for the get event list action parameters sort string optional parameters for the get event list action parameters with string optional parameters for the get event list action input example {"parameters" {"limit" 100,"offset" 100,"sort" "id","with" "adversaries,attachments"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data type id number response data data title string response data data description string response data data happened at string response data data hash string response data data created at string response data data updated at string response data data touched at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 600,"data" \[{},{},{}]}} get indicator by id retrieve a specific indicator from threatquotient threatq using the unique identifier provided endpoint url api/indicators/{{id}} method get input argument name type required description path parameters id string required parameters for the get indicator by id action parameters with string optional parameters for the get indicator by id action input example {"path parameters" {"id" "12345678 1234 1234 1234 123456789abc"},"parameters" {"with" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data type id number response data data status id number response data data class string response data data hash string response data data value string response data data last detected at string response data data expires at object response data data expired at object response data data expires calculated at object response data data created at string response data data updated at string response data data touched at string response data output example {"status code" 200,"response headers" {"date" "thu, 31 aug 2023 07 33 24 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","server" "apache","x frame options" "sameorigin","vary" "authorization","cache control" "no cache","content security policy" "frame ancestors 'self';","x xss protection" "1; mode=block","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains; preload","set cookie" "threatq api=eyjpdii6il get indicators list retrieve a comprehensive list of indicators from threatquotient threatq for analysis and threat intelligence endpoint url api/indicators method get input argument name type required description parameters limit number optional parameters for the get indicators list action parameters offset number optional parameters for the get indicators list action parameters sort string optional parameters for the get indicators list action parameters with string optional parameters for the get indicators list action input example {"parameters" {"limit" 100,"offset" 100,"sort" "id","with" "adversaries,attachments"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data type id number response data data status id number response data data class string response data data hash string response data data value string response data data last detected at string response data data expires at object response data data expired at object response data data expires calculated at object response data data created at string response data data updated at string response data data touched at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 7481,"data" \[{},{},{}]}} import events retrieve a list of import events from threatquotient threatq using the specified import id endpoint url api/imports/{{import id}}/events method get input argument name type required description parameters limit number optional parameters for the import events action parameters offset number optional parameters for the import events action parameters sort string optional parameters for the import events action parameters with string optional parameters for the import events action path parameters import id number required parameters for the import events action input example {"parameters" {"limit" 100,"offset" 100,"sort" "id","with" "adversaries,attachments"},"path parameters" {"import id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data import id number response data data title string response data data description string response data data type id number response data data happened at string response data data status id number response data data source string response data data whitelisted string response data data duplicate string response data data type object response data data type id number response data data type name string response data data type user editable string response data data type created at string response data data type updated at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 2,"data" \[{},{}]}} indicator search performs a search for indicators within threatquotient threatq based on criteria specified in the provided json body endpoint url api/indicators/query method post input argument name type required description parameters limit number optional parameters for the indicator search action parameters offset number optional parameters for the indicator search action parameters sort string optional parameters for the indicator search action criteria object optional parameter for indicator search criteria +or array optional parameter for indicator search criteria +or mentions string optional parameter for indicator search criteria +or value object optional value for the parameter criteria +or value +contains string optional value for the parameter filters object optional parameter for indicator search filters +and array optional parameter for indicator search filters +and created at object optional parameter for indicator search filters +and created at +lt string optional parameter for indicator search filters +and +or array optional parameter for indicator search filters +and +or +and array optional parameter for indicator search filters +and +or +and source name string optional name of the resource filters +and +or +and source created at object optional parameter for indicator search filters +and updated at object optional parameter for indicator search filters +and updated at +lt string optional parameter for indicator search filters +or array optional parameter for indicator search filters +or attribute object optional parameter for indicator search filters +or attribute name string optional name of the resource filters +or attribute value string optional value for the parameter input example {"parameters" {"limit" 100,"offset" 100,"sort" "id"},"json body" {"criteria" {"+or" \[{"mentions" "org"},{"value" {"+contains" "test com"}}]},"filters" {"+and" \[{"created at" {"+lt" "2021 01 27 22 35 00"}},{"+or" \[{"expires at" {"+gt" "2021 01 26 23 59 59","+lt" "2021 01 28 00 00 00"}},{"expired at" {"+gt" "2021 01 26 23 59 59","+lt" "2021 01 28 00 00 00"}}]},{"+or" \[{"type name" "fqdn"}]},{"+or" \[{"status name" "active"}]},{"+or" \[{"cidr ipv4" "19 34 212 155/8"}]},{"+or" \[{"score" {"+gte" 6,"+lte" 8}}]},{"+or" \[{"+and" \[{"source name" "customer admin"},{"published at" {"+lt" "2021 01 27 22 50 00"}}]}]},{"+or" \[{"related" {"id" 1,"type" "indicator"}}]},{"+or" \[{"related" {"object" "adversary"}}]},{"+or" \[{"source name" "primary contributor"}]},{"+or" \[{"tags" "internal"}]},{"updated at" {"+lt" "2021 01 27 22 51 00"}},{"+or" \[{"+and" \[{"source name" "primary contributor"},{"source created at" {"+lt" "2021 01 27 22 50 00"}}]}]}],"+or" \[{"attribute" {"name" "confidence","value" "high"}}]}}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data class string response data data score number response data data value string response data data expires calculated at string response data data touched at string response data data id number response data data updated at string response data data published at string response data data last detected at string response data data created at string response data data status id number response data data hash string response data data type id number response data data adversaries array response data data adversaries name string response data data type object response data data type name string response data data type id number response data data type class string response data data status object response data data status name string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 2,"data" \[{},{}],"offset" 0,"limit" 25}} indicator search with value performs a search in threatquotient threatq for indicators matching a specified value requires 'value' parameter endpoint url api/indicators/search method get input argument name type required description parameters limit number optional parameters for the indicator search with value action parameters offset number optional parameters for the indicator search with value action parameters with string optional parameters for the indicator search with value action parameters value string required parameters for the indicator search with value action input example {"parameters" {"limit" 100,"offset" 100,"with" "adversaries,sources","value" "%test%"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data value string response data data hash string response data data class string response data data type id number response data data status id number response data data last detected at object response data data created at string response data data updated at string response data data touched at string response data data type object response data data type id number response data data type name string response data data status object response data data status id number response data data status name string response data data status description string response data limit number output field limit offset number output field offset output example {"status code" 200,"response headers" {"date" "wed, 30 aug 2023 10 44 30 gmt","content type" "application/json","transfer encoding" "chunked","connection" "keep alive","server" "apache","x frame options" "sameorigin","vary" "authorization","cache control" "no cache","content security policy" "frame ancestors 'self';","x xss protection" "1; mode=block","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains; preload","set cookie" "threatq api=eyjpdii6in indicators query retrieve a filtered list of indicators from threatquotient threatq based on specified filter parameters endpoint url /api/indicators/query method post input argument name type required description parameters limit string optional the maximum number of results to return parameters offset string optional the number of results to skip before starting to return results parameters rows string optional the number of rows to return parameters sort string optional the field to sort the results by fields array optional parameter for indicators query filters object optional the filters to apply to the results filters +or array optional parameter for indicators query filters +or value string optional the value to filter by criteria object optional the criteria to apply to the results with string optional the fields to include in the results input example {"parameters" {"limit" "25","offset" "0","rows" "0","sort" " created at"},"json body" {"fields" \[" ","score","sources name","sources tlp id"],"filters" {"+or" \[{"value" "baddomain com"},{"value" "68 68 21 21"},{"value" "helloworld com"},{"value" "161fb353ab7e67341fd6a767aa596676"}]},"criteria" {},"with" "adversaries,attachments,attributes,attributes attribute,comments,events,indicators,score,signatures,sources,status,tags,type,events,malware,campaign,incident,ttp,attack pattern,report,tool,vulnerability"}} output parameter type description status code number http status code of the response reason string response reason phrase total number output field total data array response data data id number response data data type id number response data data status id number response data data class string response data data hash string response data data value string response data data last detected at string response data data expires at object response data data expired at object response data data expires calculated at object response data data created at string response data data updated at string response data data touched at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"total" 7481,"data" \[{},{},{}]}} update import indicator updates an existing indicator within a specified import batch in threatquotient threatq, requiring import id and import indicator id endpoint url api/imports/{{import id}}/indicators/{{import indicator id}} method put input argument name type required description path parameters import id number required parameters for the update import indicator action path parameters import indicator id number required parameters for the update import indicator action value string optional value for the parameter type id string optional unique identifier status id string optional unique identifier source object optional parameter for update import indicator source name string optional name of the resource source tlp object optional parameter for update import indicator source tlp name string optional name of the resource whitelisted string optional parameter for update import indicator input example {"json body" {"value" "99 99 99 96","type id" "10","status id" "2","source" {"name" "adversary source","tlp" {"name" "green"}},"whitelisted" "y"},"path parameters" {"import id" 1,"import indicator id" 2}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id number response data data import id number response data data value string response data data hash string response data data type id number response data data status id number response data data source string response data data import event id object response data data whitelisted string response data data duplicate string response data data duplicate indicator id object response data data created indicator id object response data data parent import indicator hash object response data data type object response data data type id number response data data type name string response data data type class string response data data type score object response data data type wildcard matching string response data data type created at string response data data type updated at string response data output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"data" {"id" 1133,"import id" 1,"value" "99 99 99 96","hash" "3f560465e1b9a5e1fee97b2fbf45de16","type id" 10,"status id" 2,"source" "new source","import event id"\ null,"whitelisted" "y","duplicate" "n","duplicate indicator id"\ null,"created indicator id"\ null,"parent import indicator hash"\ null,"type" {}}}} response headers header description example cache control directives for caching mechanisms no cache connection http response header connection keep alive content security policy http response header content security policy frame ancestors 'self'; content type the media type of the resource application/json date the date and time at which the message was originated wed, 30 aug 2023 10 44 30 gmt server information about the software used by the origin server apache set cookie http response header set cookie threatq api=eyjpdii6injjmdnvvgvuy2rlt0hutxfvr2w2due9psisinzhbhvlijoiqzdznxjiv0viztrsnnnkvunjyzhivm10ogq4zhfea3fgohmybzgztwrhchfaenrma1lhtgpkdxp5ttg0vldnb0lrtxfclzjyt1pbu212nw92nly1ynjnpt0ilcjtywmioiiwnwjlmgy0ntdhmjy5nzk0ywjiywu2njc4ytewmjewmtg1nziwztnjnznhyjnhnti1owrimddkn2yxowyzmgriin0%3d; expires=wed, 30 aug 2023 11 44 30 gmt; max age=3600; path=/api/; secure; httponly; samesite=strict strict transport security http response header strict transport security max age=31536000; includesubdomains; preload transfer encoding http response header transfer encoding chunked vary http response header vary authorization x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block