ThreatQuotient

The integration between Archer and ThreatQuotient simplifies the exchange of information between the two platforms in either direction without having a user in either system copying and pasting data from one platform to the other. This integration will enable users familiar with Archer stay within the Archer interface and update Archer with information from ThreatQ. Additionally, users of ThreatQ can pass information on to Archer seamlessly where action and assignment to other groups to map to an organization’s operational workflow all while maintaining a history of work done.

On this page

Release history

Last updated: October 2018

Solution summary

Partner Integration Overview

Archer Solution

IT & Security Risk Management

Archer Use Case

Security Incident Management

Archer Applications

Security Incidents

Uses Custom Application

No

Requires On-Demand License

No

Partner product configuration

Before you begin 

This section provides instructions for configuring the ThreatQuotient for Archer SecOps Application with Archer. This document is not intended to suggest optimum installations or configurations.

It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components.

All ThreatQuotient components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding.

Important: The integration described in this guide is being provided as a reference implementation for evaluation and testing purposes. It may or may not meet the needs and use cases for your organization. If additional customizations or enhancements are needed, it is recommended that customers contact Archer Help for assistance.

ThreatQuotient for Archer Security Incidents configuration

Before beginning the integration steps below, ensure you have reviewed the ThreatQuotient documentation entitled ThreatQ for Archer SecOps Application for any additional requirements or prerequisites.

To begin, ensure that the ThreatQ for Archer SecOps Application.zip file is available to the Archer Microsoft Windows server.

Note: If using Archer SaaS, the integration middleware can be installed on a different Windows Server. You may need to work with ThreatQuotient Professional Services if this is your desired configuration.

Initial Web IIS configuration

  1. Login via a Remote Desktop connection or directly from the console.

  1. Copy and unzip the Archer-RC2.zip file to the following directory location:

    C:\inetpub\wwwroot\ThreatQ

    The folder structure and location may differ from the directory shown, so consult your Archer admin for the correct directory.

  1. Open IIS management on your server.

  1. Click the Application Pools icon.

  1. Right click in the application pools page:

  1. Click Add Application Pool. The Add Application Pool popup will appear.

  1. Name your Application Pool (ThreatQ is shown below as an example).

  1. Click OK.

  1. From the IIS Manager, right click on the ThreatQ folder under Default Website.

  1. Select Convert to Application. The Add Application popup will appear.

  1. Click the Select button. The Select Application Pool popup will appear.

  1. From the drop down, select ThreatQ and click OK twice.

  1. In a web browser, navigate to http://<ServerIP>/ThreatQ/setup.

  1. The following information is required:

  • SQL Hostname/IP Address: This is the Hostname or IP Address of the server associated with the SQL Database.

  • SQL Username: The username associated with the SQL Database.

  • SQL Password: The password associated with the SQL username above.

  • Account Username: The Account username of the admin account for the setup of the ThreatQ for Archer SecOps Application ONLY.

  • Account Password: The password associated with the Account username above.

  1. You will be presented with a logon screen, using the account username and password defined earlier. The ThreatQ application configuration page will appear.

  1. Click Configure Middleware. This page will be referred to again.

  2. The ThreatQ Config Page will appear. This page will be referred to again.

Archer application ThreatQ configuration

  1. Login to the ThreatQ instance via the WebUI and navigate to the settings gear in the top right corner.

  2. From the Settings icon, select OAuth Management.

  1. The OAuth Connections page will appear. Take note of the Client ID shown.

  1. From the ThreatQ Config page, insert the relevant details.

  1. The following information is required:

  • ThreatQ Host: The host of the ThreatQ instance, either the IP Address or Hostname as resolvable by ThreatQ

  • ThreatQ Client ID: The OAuth ID that was noted earlier

  • ThreatQ E-mail: The User in the ThreatQ System for integrations

  • ThreatQ Password: The password for the above ThreatQ account

  • Archer Host: The host of the Archer instance, either the IP Address or Hostname.

  • Archer Username: This is a User in the Archer System

  • Archer Password: The password for the above Archer account

  • Archer Instance: The name of the archer instance

  • Archer Domain: The domain in which the Archer server resides (Optional)

  1. Click Save ThreatQ Config.

Adding ThreatQ custom objects

A custom object within Archer now needs to be created to allow for indicators within incident tickets to be referenced against the ThreatQ platform. This also gives the ability to sync the incident ticket with the ThreatQ platform.

  1. Login to your Archer instance via the web user interface and navigate via the Hammer and Spanner (Drop Down) icon to Application Builder.

  1. Navigate to Applications. The manage applications page will appear.

  1. Click Security Incidents, then select Layout.

  1. From the drop-down menu, select Add Section and drag it to the required location.

  1. Name the new section ThreatQ and click OK.

  1. From the drop-down menu, select Add Custom Object and drag it to the required ThreatQ location.

  1. Name the new Custom Object ThreatQ and click OK.

  1. In the section marked Code, enter the code found in Appendix A.

  1. Click OK, then Apply, and then Save. Navigate back to the home screen. You will find within the incidents object a search button and a sync ticket button.

  1. Click Search. A popup will appear. If results are found within ThreatQ, you will be presented with a link to your ThreatQ instance with any results found for the indicator searched.

  1. Click Sync Ticket to ThreatQ, and a popup will appear with the message: Successfully marked ticket to sync.

Configuring ThreatQ sync settings

After at least one ticket has synced over from the ThreatQ for Archer SecOps Application to ThreatQ, you will then be able to configure which fields to sync to the ticket.

Note: You must select the button to sync at least one ticket in Archer before this step.

  1. In your browser, navigate to the ThreatQ for Archer SecOps Application’s sync settings page by clicking the Sync Settings link or by navigating to http://<ServerIP>/ThreatQ/tqArcherFields.

  1. Change your sync relationship between the Archer Incident fields and ThreatQ to provide context in the ThreatQ event that will be created. Once you’ve selected the relationship, click Save and you’ll see a message to let you know it saved.

    Note: If you select “Indicator” for sync settings, you also need to select the type of indicator to sync it as.

Certification environment

Date tested: October 2018

Product Name Version Information Operating System

Archer

6.2

Virtual Appliance

ThreatQuotient for Archer Security Incidents

1.0

Windows

Custom object code

Custom Object Code text:

<html>

<head>

</head>

<body>

<div style="width:100%; white-space:nowrap;">

<div class="ml-FldLbl" style="width:14%; display:inline- block; textalign:right;">

<label>Search:</label>

</div>

<div class="riSingle RadInput RadInput_archer" style="width:65%;

display:inline-block;">

<input id="search" size="20" class="riTextBox

riEnabled" type="text" />

</div>

<div style="width:5%; display:inline-block; padding- top:1px;">

</div>

<button id="searchbtn">search</button>

<button id="synctotq">Sync ticket to TQ</button>

</div>

<script>

$("#synctotq").on("click", function(e) { var id = getRecordId();

var tqmw = window.location.protocol + "//" +

window.location.host; var res = $.ajax({

type: "POST",

url: tqmw + "/ThreatQ/tqMarkForSync", data: {id: id},

corsRequest: true, success: function(data) {

if (!data.Success) {

console.error(data.Message);

return null;

}

alert("Succesfully marked ticket to sync");

},

error: function(err) { console.error(err); return err;

});

},

async: false

}).responseJSON;

$("#searchbtn").on("click", function(e) { e.preventDefault();

if (!$("#search").val()) { return; }

var tqmw = window.location.protocol + "//" + window.location.host;

var res = $.ajax({

type: "GET",

url: tqmw + "/ThreatQ/tqGetIndicator?value=" +

$("#search").val(),

corsRequest: true, success: function(data) {

console.log(data)

data.data.response = JSON.parse(data.data.response);

return data;

},

error: function(err) { console.error(err); return err;

},

async: false

}).responseJSON;

if (!res || !res.Success) { return; } var link = res.data.response.total > 0 ?

res.data.tq_host +

"/indicators/" + res.data.response.data[0].id + "/details" : null;

var text = res.data.response.total === 0 ? "No indicator matching

<strong>" + $("#search").val() + "</strong> was found in ThreatQ." :

"<strong>Your indicator can be found at:</strong><br/><br/><a

target=\'_blank\' href=\'" + link +"\'>" + link + "</a>";

var d = new Date().getFullYear(); var html = "<!doctype html><html

lang='en'><head><meta charset='utf-

9'><meta name='viewport' " + "content='width=device-width,

initialscale=1.0'><title>ThreatQ</title><style>html, " +

"body{margin: 0; padding: 0; font-family: 'Open Sans',Helvetica,Arial,Lucida,sans-serif; " +

"font-weight: 500; -webkit-font-smoothing: antialiased; text-align:

center;}.navbar{overflow: " +

"hidden; background-color: #5995cb; position: fixed; top: 0; width:

100%;}.navbar h1{color:white; " +

"font-size: 36px; line-height: 1em; font-weight: 500; margin:

10px;}.container{margin-top: 75px; " + "padding: 10px;}#content{margin: 0; position:

absolute; top: 50%;

left: 50%; transform: " + "translate(-50%, -50%); width:

100%;}footer{background-color:

#5995cb; position: absolute; " +

"left: 0; bottom: 0; width: 100%;}.footer- copyright{color: white;

padding: 10px;}</style></head>" +

"<body><div class='navbar'><h1>ThreatQ</h1></div><div class='container'><div id='content'>" + text +

"</div></div><footer></div><div class='footer- copyright'>&COPY; "+d+"

ThreatQuotient, All " +

"rights reserved.</footer></body></html>";

var win = window.open("", "ThreatQ", "width=600,height=300");

win.document.body.innerHTML = html;

});

</script>

</body>

</html>