How ThreatQ Works with a SIEMPOSTED BY JON WARREN
One of the capabilities that sets ThreatQ apart is that it allows you to easily integrate tools into a single systemic security architecture and then automates both the removal of noise and the actions needed to address the threat. Our Open Exchange includes a software development kit (SDK), easy-to-use application programming interfaces (APIs) and a comprehensive set of industry-standard interfaces to fully integrate with the equipment, tools, technologies, people, organizations and processes that protect your business.
In this blog series I’m going to briefly discuss how ThreatQ and ThreatQ Investigations augment and integrate with modern security tools and replace legacy processes and systems. Let’s start by looking at how our solutions work with existing Security Information & Event Management (SIEM) systems.
ThreatQ and SIEMs are designed with different use cases in mind. However, when combined the solutions provide integrated workflows that optimize time and user experience for intelligence and security analysis alike. Here’s how:
A SIEM aggregates all internal log data and can feed pertinent details from that data into ThreatQ. ThreatQ is focused on aggregating all threat intelligence – internal threat and event data from your SIEM and other sources, with external data on indicators, adversaries and their methods – and allows you to build a threat library that is unique to your organization.
You can search the threat library – a single source of threat knowledge – to accelerate event triage. Through correlation of all of your intelligence sources, ThreatQ understands the details and context behind event-associated indicators. It enriches that data with information about the motivations of the campaign, attackers and their intent so that you gain context to understand the who, what, where, when, why and how of an attack. With context-enriched threat data, the SIEM becomes more efficient and effective.
In turn, the SIEM is a key data source for ThreatQ Investigations which helps to accelerate investigation and analysis. With the “click of an operation” analysts can search the SIEM for indicator-related events. The SIEM can also automatically consume sightings in ThreatQ to deliver customer-specific scoring, allowing for identification of relevant threats.
To learn more, download our SIEM Technology Partnership Brief. And check back for a future blog where we’ll discuss how ThreatQ and ThreatQ Investigations work with another complementary technology that’s likely in your security stack.