Cisco Threat Response is built upon a collection of APIs; which can be used to integrate your Cisco and third-party security products, automate the incident response process and manage threat intelligence and security context data in a single location. Over the next few months, our team will be working with ecosystems partners who already integrate with Cisco Threat Grid, Cisco AMP for Endpoints and Cisco Umbrella, to also integrate with Threat Response. Our priority will be providing engineering expertise to our Threat Intelligence, SIEM and SOAR partners; however, we support an open integration ecosystem.
Some of the things you can do now with the Threat Response API include:
- Enrich an IP address, or file hash
- Load threat intelligence into your Private Intel Store
- Manage your casebooks and investigation snapshots
- Automate response actions
- Provide a link for users to click and Investigate an alert or observable
You can find the API documentation here.
Threat Response Integration Scripts
The first three open-source integration examples, by Michael Auger, are available on the Cisco Security GitHub repository.
- Threat Response – Get Dispositions: This script queries the Threat Response API for the disposition of any observable, such as a hash value
- Threat Response – Enrich: Examples scripts for the Threat Response Enrich API
- Threat Response – Authentication: Example scripts for authenticating to the Threat Response APIs
You can gitter to join the chat with a Cisco engineer about this script and others. Look for more open-source scripts to be coming soon. To learn more about Threat Response, visit our product page.
Want to keep up to date on Cisco Threat Response? Now you can! Subscribe here to receive alerts every time a new blog is posted.