Maltego is an open source intelligence and graphical link analysis tool for gathering and connecting information for investigative tasks. Maltego is utilized by a broad range of users, ranging from security professionals to forensic investigators and researchers. The Qintel integration for Maltego provides various transforms on entities such as Alias, Domain, Email, IP, Phone, Profile, Messenger ID, Proxy, as well as other, more advanced attributes.
The Qintel Splunk app allows for the enrichment of events with Qintel data to provide context surrounding log data. This helps operators filter, monitor, and alert on activity within their environment. Currently the app supports the following enrichment sources:
QSentry Threat Intelligence
Patch Management Intelligence (PMI)
Palo Alto Networks Cortex XSOAR (formerly known as Demisto) is a Security Orchestration, Automation and Response (SOAR) Platform, which allows SOC analysts to track, triage, and respond to security events within their organization. The Qintel app for XSOAR provides various investigative actions and automation playbooks to enrich indicators in security events with Qintel data. These data provide analysts with context as they triage and respond to security events.
Splunk Phantom is a Security Orchestration, Automation and Response (SOAR) Platform, which allows SOC analysts to track, triage and respond to security events within their organization. The Qintel App for Phantom provides various investigative actions and automation playbooks to enrich artifacts in security events with Qintel data. These data provide analysts with context as they triage and respond to security events.
Checkpoint Custom Intelligence Feeds
The Custom Intelligence Feeds feature provides the ability to add custom cyber intelligence feeds into the Threat Prevention engine. It allows fetching feeds from a third-party server directly to the Security Gateway to be enforced by Anti-Virus and Anti-Bot blades. The Custom Intelligence Feeds feature also assists customers with the operational and engineering management challenges they face handling indicators: managing and monitoring of the custom intelligence feeds is done with minimal operational overhead. The Qintel App for Checkpoint's Custom Intelligence Feeds takes our QSentry feed data and converts it to a form suitable for most Checkpoint appliances running GAIA OS version R80.20+.
The Hive/Cortex is a Security Incident Response Platform and observable analysis platform, which gives operators the ability to quickly investigate and act upon security incidents. This platform is frequently used in conjunction with other open source platforms, such as MISP.
The Qintel analyzers for Cortex gives operators the ability to enrich events with QAuth threat intelligence and QWatch credential data, providing the context needed to classify observables and respond to events. Qintel also provides custom TheHive report templates for visualizing Cortex results.
Anomali ThreatStream is a threat intelligence platform that aggregates diverse sources of threat intelligence. QSentry feeds are integrated and available within the ThreatStream platform.
Minemeld is a threat intelligence processing tool that allows you to extract indicators from threat intelligence feeds and compile the indicators into multiple formats compatible with Palo Alto Networks AutoFocus and other SIEM platforms. The QSentry miner for Minemeld allows you to pull QSentry feeds directly into Minemeld for further integration.
Zeek is an open source platform for network security monitoring. QSentry feeds can be integrated as part of Zeek’s Intelligence framework to allow for matching and alerts based on the network traffic it’s inspecting.
MISP is an open source software solution for collecting, storing, distributing and sharing cyber security indicators and threats about cyber security incidents analysis and malware analysis. The Qintel modules for MISP gives operators the ability to enrich events with QAuth threat intelligence, providing the context needed to classify and respond to events. Operators can also pivot on attributes, querying the breadth of Crosslink data to discover additional context and data.
Tines is a vendor agnostic enterprise automation platform that integrates directly into REST APIs and is designed to help security and ops teams automate workflows.