ThreatQuotientlogo

ThreatQuotient

The Polarity - ThreatQuotient integration(s) enable a user to have an immediate understanding of their threat landscape when looking at indicators. Polarity has two integrations with ThreatQuotient, one that enables a user to see the threat information on indicators and one to bulk submit indicators to ThreatQuotient, enabling security analysts across teams to contribute and gain immediate awareness. Polarity - ThreatQuotient - provides context around indicators in ThreatQuotient. Polarity -ThreatQuotient IOC Submission - enables analysts to bulk submit IOCs to Threatstream.

ThreatQuotient Solutions

Security Operations, Threat Hunting, Incident Response

Configuring ThreatQuotient

This integration requires you to complete a few extra steps in order to use it.

In order to use the Polarity - ThreatQuotient integrations, instance URL, username, password, and clientID are required. In order to complete configuration, the Polarity server admin will also need to configure the threatq-config.js file.

Both ThreatQuotient and the IOC submission integrations require the same configuration options.

Configuration Options

Indicator Types - IPs, Emails, Hashes, Domains

URL - The URL for your ThreatQuotient server which should include the schema (i.e., http, https) and port if required.

Username - Username for the account using the ThreatQuotient integration.

Password - Password associated with the username, for the account using the ThreatQuotient integration.

Client ID - The Client ID for your ThreatQ deployment. (accessible at https:///assets/js/config.js)

Enable Adding Tags - If selected, users will be able to add new tags from the overlay window

Enable Deleting Tags - If selected, users will be able to delete tags from the overlay window

Enable Editing of Indicator Status - If selected, users will be able to edit the “status” of an indicator (e.g., Active, WhiteListed, Review etc.)

**Enable Manual Editing of Indicator Score **- If selected, users will be able to edit the “score” of an indicator. Note that manually setting the score of an indicator is not a recommended best practice. Setting the score manually prevents ThreatQuotient from setting an automatic indicator score.

Minimum Score - Minimum indicator score to be returned by the integration. Lower the score the more information that will be displayed by Polarity.

Maximum Score - Maximum indicator score to be returned by the integration.

Indicator Statuses - Status of the indicators to be searched. Statuses are: active, review, expired, indirect and whitelisted.

Allow IOC Deletion - If selected, analysts running the IOC Submission integration can delete indicators from ThreatQuotient.

Configuring the threatq-config.js file - In order for Polarity to search for the correct indicators, the Polarity server admin will need to edit the threatq-config.js file. To find the indicator values please see https:///api/indicator/types