Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

SecureX with Threat Grid Cloud Integration Guide

Available Languages

Download Options

  • PDF     (224.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (537.7 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (664.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 29, 2020
Document ID:215988

    Introduction

    This document describes the steps required to integrate and configure the Threat Grid Cloud module with SecureX.

    Contributed by Jesus Javier Martinez, Edited by Jorge Navarrete, Cisco TAC Engineer.

    Prerequisites

    Requirements


    Cisco recommends that you have knowledge of these topics:

    • Cisco Threat Response
    • Threat Grid Cloud
    • SecureX

    Components Used


    The information in this document is based on these software versions:

    • SecureX threat response console (User account with Administrator rights)
    • Threat Grid console (User account with Administrator rights)
    • SecureX console (User account with Administrator rights)

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Cisco Threat Grid is an advanced and automated malware analysis and malware threat intelligence platform in which suspicious files or web destinations can be detonated without impact the user environment.

    In the integration with SecureX, Threat Grid is a reference module and provides the ability to pivot into the Threat Grid Portal to gather additional intelligence about file hashes, IPs, domains, and URLs in the Threat Grid knowledge store.

    Configure

    Threat Grid portal - Authorize Threat Grid and get API key

    Step 1. Log in to Threat Grid, use Administrator credentials.


    Step 2. Navigate to My Account section, as shown in the image.

    Step 3. Navigate to the Connections section and select Connect Threat Response option as shown in the image.

    Sep 4. Select Authorize option in order to allow Threat Grid to access to Threat Response, as shown in the image.

    Step 5. The Access Authorized message appears to verify Threat Grid has access to Threat Response threat intelligence and enrichment capabilities, as shown in the image.

    Step 6. Navigate to My Account > API > API Key, copy the API key, as shown in the image.

    SecureX portal - Configure Threat Grid Module

    Step 1. Log in to SecureX, use Administrator credentials.

    Step 2. Navigate to the Integrations tab, select Integrations > Add New Module, as shown in the image.

    Step 3. On the Integrations page, select Add New Module in the Threat Grid module pane, as shown in the image.

    Step 4. The Add New Module form opens. Complete the form and select Save to complete the Threat Grid module configuration, as shown in the image.

    • Module Name - Leave the default name or enter a name that is meaningful to you.
    • URL - From the drop-down list, choose the appropriate URL for the location where your Threat Grid account is based (North America or Europe). Ignore the Other option for now.
    • API Key - Threat Grid API Key (copy and paste the API Key from TG page).

    Step 5. Threat Grid is now displayed under your configurations on the Integrations page, as shown in the image.

    (TG is available from pivot menus and in casebooks for improved threat investigation).

    SecureX Portal - Add Threat Grid Dashboard

    Step 1. On SecureX main page, select +New Dashboard.

    Step 2. Select your Threat Grid module.

    Step 3. Set a Dashboard Name.

    Step 4. Mark the options based on your requirements and click on Save.

    Step 5. You can see Threat Grid information on SecureX Dashboard.

    Note: The details displayed on the SecureX Dashboard comes directly from Threat Grid Dashboard, as shown in the image.

    Threat Response Investigation

    Step 1. Navigate to SecureX portal > Applications & Integrations > Threat Response and select Launch.

    Step 2. It redirects automatically to the Cisco Threat Response portal.

    Step 3. You can perform an Investigation on the Threat Response portal.

    Step 4. You can select Browse or Search option. It redirects into the Threat Grid portal to gather additional intelligence about files/hashes/IPs/domains/URLs in the Threat Grid knowledge store, as shown in the image.

    Troubleshoot

    • Verify you have a user account with Admin rights on TG, SecureX threat response, and SecureX portal.

    • Verify you allowed access to Connect Threat Response.

    • Delete the old module and create a new TG module.

    • Verify the Timestamp is properly set on the SecureX portal.

    Video

    You can find the information contained in this document in this video.

    TAC Authored

    Contributed by Cisco Engineers

    • Jesus Javier Martinez
      Cisco TAC Engineer
    • Edited by Jorge Navarrete
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    Related Cisco Community Discussions

    This Document Applies to These Products

    About Us
    Contact Us
    Work with Us