Product Updates

 🧠 OverviewWe’re thrilled to announce the release of the VMRay Action for the ThreatQuotient TDR Orchestrator!This new integration allows you to submit URL-based data collections directly to the VMRay Malware Analysis Platform for dynamic analysis and enrichment. By automating the submission of indicators of compromise (IOCs) to VMRay, analysts can enhance detection accuracy and streamline threat investigation workflows.⚙️ Key CapabilitiesThe integration introduces a new TDR Orchestrator Action:VMRay – Submit IOCs – Exports IOCs (specifically URL objects) from ThreatQ to the VMRay platform for automated analysis and enrichment.Once submitted, VMRay returns enriched URL-type indicators that can include:Verdicts (e.g., malicious, suspicious, benign) IOC metadata YARA rule matches Behavioral and network indicators Malicious file hashes Detonation reports (PDF format)🔌 VMRay Operation Connection CapabilitiesThe VMRay Operation enables direct connection from ThreatQ into the VMRay Analyzer to:Submit URLs, FQDNs, and file objects for sandbox detonation. Retrieve structured analysis results for deeper threat correlation. Integrate verdicts and intelligence artifacts into ThreatQ collections for continued investigation.💡 Use CasesSome key use cases for this integration include:Enhanced Threat Intelligence: Automatically enrich IOCs with sandbox verdicts. IOC Mining: Discover new related indicators from dynamic analysis results. Secure Detonation: Analyze URLs and files in a controlled environment. Binary Evaluation: Assess unknown binaries or payloads before network exposure.🔐 RequirementsTo utilize the VMRay Action, ensure you have:An active ThreatQ TDR Orchestrator (TQO) license. Valid credentials for the VMRay Platform. 

 Product Update: Elastic Action for ThreatQuotient TDR Orchestrator Audience: Threat Intelligence Analysts, SOC Teams, MSSPsProduct Module: ThreatQ TDR OrchestratorLast Updated: February 4, 2025Tags: ThreatQuotient, Elastic Security, Elastic Stack, TDR Orchestrator, Threat Intelligence, IOC Enrichment, SIEM Integration, Automation  🧠 OverviewWe’re excited to announce the release of the Elastic Action for the ThreatQuotient TDR Orchestrator! This new integration enriches ThreatQ indicators with contextual data from Elastic Security, allowing analysts to correlate intelligence with operational events—all within their orchestrator workflows. By combining Elastic Security’s SIEM and endpoint telemetry with ThreatQ’s intelligence-driven automation, security teams can detect, investigate, and respond to threats faster and with greater context.  ⚙️ Key Capabilities The Elastic integration introduces a new TDR Orchestrator Action: Elastic Enrich Indicators – Executes an Elastic search query to retrieve matching hits and enriches ThreatQ indicators with contextual data from Elastic Security.   🗂️ Supported Object TypesThe Elastic Enrich Indicators action supports the following object types: Assets Indicators Upon execution, the action returns enriched: Assets Indicators This two-way enrichment helps SOC teams identify related entities, prioritize alerts, and strengthen cross-platform threat context.  🔐 RequirementsTo use the Elastic Action, ensure you have:  An active ThreatQ TDR Orchestrator (TQO) license Valid Elastic Security connection credentials with query access Properly configured search queries or index permissions in your Elastic environment   💡 Why It MattersIntegrating Elastic Security with ThreatQ delivers:  Automated enrichment of indicators with Elastic event data Improved visibility across SIEM and threat intelligence platforms Faster, more efficient investigations through consolidated insights  Together, these capabilities help analysts move from detection to understanding—and from data to action—more efficiently.  📘 Learn MoreVisit the Elastic Security documentation to explore configuration options and use cases.  💬 Try It and Share Your Experience Enable the new Elastic Action in your ThreatQ TDR Orchestrator and let us know how you’re using it to enhance your enrichment workflows.

 Cisco ESA Export IOC Action Bundle for ThreatQ TDR Orchestrator Audience: Threat Intelligence Analysts, SOC Teams, MSSPsProduct Module: ThreatQ TDR Orchestrator (TQO)Last Updated: November 3, 2025Tags: ThreatQuotient, Cisco ESA, TDR Orchestrator, Email Gateway, Blocklist, Safelist, Integration, IOC Automation, Threat Intelligence 📝 Overview A new Cisco Secure Email Gateway (ESA) Export IOC Action Bundle is now available for ThreatQuotient TDR Orchestrator! This Action Bundle automates the export of email addresses, IPs, and FQDNs from your ThreatQ collections to Cisco ESA blocklists and safelists — boosting your email threat defense through seamless orchestration. Using Cisco’s AsyncOS API, the integration enables direct management of Safelist and Blocklist entries, helping teams reduce phishing, spam, and data exfiltration risks through automated updates.  ⚙️ Key CapabilitiesThe Cisco ESA Export IOC Action Bundle includes the following actions: Cisco ESA Add Recipients To Quarantine List – Adds recipients to Safelist or Blocklist Cisco ESA Add Senders To Quarantine List – Adds senders to Safelist or Blocklist Cisco ESA Delete Recipients From Quarantine List – Removes recipients from Safelist or Blocklist Cisco ESA Delete Senders From Quarantine List – Removes senders from Safelist or Blocklist  Supported Indicator Types: 📧 Email Address 🌐 FQDN 💻 IP Address   🧾 RequirementsTo use this Action Bundle, ensure you have:  An active ThreatQ TDR Orchestrator (TQO) license Access to a Cisco Secure Email Gateway (ESA) with AsyncOS API enabled   💡 Why It MattersThis bundle bridges Threat Intelligence 🧠 and Email Security Operations 📧 by automating IOC sharing and enforcement:  ⚡ Auto-export and maintain Safelist/Blocklist entries from ThreatQ data 🛡️ Enhance real-time protection against emerging email threats ⏱️ Reduce manual updates and accelerate response times   🔗 Learn MoreCheck out the ThreatQuotient Integration Catalog for setup guidance and full documentation.   💬 Share your feedback! Try the Cisco ESA Export IOC Action Bundle in your ThreatQ environment today and share your feedback in the Community! 💬

 Smarter Object Correlation in ThreatQ: ACE Parser Now Links Existing Objects Automatically Product Area: ThreatQ Intelligence Platform → IntegrationsRelease Version: ThreatQ v6.13.0Audience: Threat Intel Analysts, Integrators, Platform AdminsLast Updated: November 2, 2025  OverviewThe ACE parser in ThreatQ just got smarter.With the latest v6.13.0 update, the ACE parser now automatically links to existing system objects in your Threat Library — reducing duplicates, preserving context, and improving enrichment accuracy across integrations.  What’s New Automatic Linking: The ACE parser now detects existing Threat Library objects and links them instead of creating duplicates. Exact Name Matching: Matches are case-insensitive and based on exact object names — for example, Sad Panda, SadPanda, and Sad-Panda all match. Configurable Behavior: Matching behavior respects your TQO action configuration — you can define which object types to parse or exclude. ACE-only Object Exception: Objects sourced exclusively from ACE are excluded from keyword matching to prevent false correlations.   Why It MattersThis enhancement delivers: Cleaner data by reducing duplicate objects. Higher automation accuracy in parsing and enrichment workflows. Improved integration performance for large-volume data feeds.  Learn More📘 Visit the ThreatQ Help Center for details on ACE parser configuration and integration workflows. 💡 Try the new ACE parser capabilities in ThreatQ v6.13.0 and share your feedback in the comments — we’d love to hear how these improvements streamline your enrichment workflows!

 Product Update: Automated Policy Lifecycle Management API Release Date: November 2, 2025Audience: Admins, API Integrators, Security EngineersProduct Module: Policy Management API  Overview Security teams can now automate the entire policy lifecycle — from creation to retirement — using the new Policy Management API v2.0.0.This release delivers expanded automation and analytics capabilities for streamlined policy governance across enterprise environments.  Key Enhancements Bulk Deletion: Remove multiple policies in a single API call (/v1/policies/erase) for faster cleanup. Supports up to 100 policies per request. Dynamic Filtering: Retrieve policies with flexible filters (/v1/policies/all), including ?name_like=login or ?criticality=in,High,Medium, plus pagination and sorting options. Enhanced Analytics Integration: Create and update policies with new event analytics checks:   TPI (Threat Intelligence) ActiveList Match String Workflow Simplification: Enable or disable multiple policies at once (/v1/policies/status), or fetch specific ones via /v1/policies/fetch.   Why It MattersThese API enhancements empower teams to: Automate policy governance end-to-end. Integrate policy controls into CI/CD pipelines. Reduce manual management overhead across large deployments.   ⚠️ Upgrade NoticeThis update introduces breaking changes to deletion and analytics endpoints.Review and update any existing scripts or integrations before moving to v2.0.0.  Learn More📘 Securonix Cloud User Guide – Policy Management API  💡 We’d love to hear how you’re using the new API to streamline policy operations — share your feedback in the comments!

Product Update: AI-Powered Summarization for Spotter Searches Introducing AI-Powered Summarization for Spotter Searches!Unlock deeper insights and faster conclusions with AI-generated summaries. Hey everyone, we’re thrilled to unveil our latest innovation in the Spotter tool: AI-Powered Summarization for Spotter Searches. 🤖✨  🆕 What’s New With this release, you can now get automated summaries of your Spotter search results. This AI-driven feature analyzes the data and generates concise, meaningful summaries, saving you time and helping you make sense of complex data sets in a flash. Contextual Insights derived from your search results High-Level Overviews for quicker understanding  💡 Why This Matters Analyzing large volumes of data can be time-consuming and prone to oversight. This enhancement tackles those pain points by: Saving precious time by eliminating manual summarization Ensuring accuracy with AI's thorough data processing Enhancing productivity so you can focus on strategic decisions  🔍 How It Works When you run a Spotter search: Scope your search to activity, violation, indexes. Click Summarize (or open the AI Summary panel) to generate a narrative view of your results. Use the suggested pivots and recommended actions to continue investigating. If the button is disabled, try narrowing your results with filters or shorter time ranges.Getting started Enable it: Go to Administration → Features → Spotter Agent and toggle Summarization on. Control access: Use existing RBAC roles to decide who can run summaries. Check quota: View your AI summarization usage under Administration → Usage → Quotas. For configuration details and quota information, see Spotter Agent Summary documentation. 🚀 Benefits Faster data comprehension Reduced cognitive load Enhanced decision-making speed Greater efficiency for SOC teams  📅 Available Now This AI-Powered Summarization feature is included in the October R1 release and is ready to use today. 💬 We’re Eager for Your Feedback Have you tried the new AI summarization feature yet? How’s it enhancing your workflow? Let us know in the comments below. We’re always listening and building based on your feedback.

 Smarter Whitelisting Just Landed: CIDR Support for IP Address WhitelistingRelease: September R1Category: Platform EnhancementsAvailable To: All Customers  🚀 OverviewWe’ve made whitelisting faster, cleaner, and smarter. Analysts can now whitelist entire CIDR blocks (for example, 192.168.0.0/24)—not just individual IP addresses. This enhancement enables broader and more efficient suppression of low-value alerts from known, trusted network segments.The result? More accurate alerts, fewer false positives, and a smoother SOC experience. 💡 What’s NewYou can now use CIDR notation to add entire subnets to your IP allowlist. Example:Instead of manually adding each IP in your guest Wi-Fi range (192.168.10.1, 192.168.10.2, etc.), simply whitelist the subnet once as:192.168.10.0/24 This single entry covers all 256 IPs in that range—saving you time and reducing allowlist clutter. 🔧 Why It MattersManaging false positives is a top challenge for every SOC. With CIDR support, you can now:  Reduce alert noise from known benign traffic Simplify IP management and reduce manual entries Improve alert precision across your environment Speed up triage and response workflows  🧭 How To Use Navigate to [Whitelisting Settings] → [IP Address Allowlist]. Select Add New Entry. Enter the desired CIDR block (e.g., 192.168.10.0/24). Save changes—your CIDR entry now applies to all IPs in that range.  Note: Existing IP allowlist entries remain unaffected. You can mix individual IPs and CIDR blocks for flexible control. 🌐 AvailabilityThis feature is included in the September R1 Release and is live in all environments. 💬 We’d Love Your Feedback Have you tried CIDR support yet?Share your experience and let us know how it’s improving your alert workflow below. Your feedback helps shape our next updates.

 Whitelisting Just Got Smarter: Preserve Violation Records with Zero RiskRelease: September R1Category: Risk Scoring & WhitelistingAvailable To: All Customers 🚀 OverviewYou asked for more control—and it’s here.With this release, analysts can now preserve violation records even after reducing an entity’s risk score to zero.This enhancement gives SOC teams the flexibility to clean up dashboards without losing valuable historical context for investigations, audits, or analytics.  🆕 What’s NewWhen you apply a whitelist action to reduce an entity’s risk to zero, you’ll now see a new option to retain associated violation records instead of deleting them.Retained violations are:  Hidden from operational dashboards like SAC and SCC Preserved in the underlying index for audits, Spotter queries, and investigations  This means you can declutter your views while keeping the complete history available behind the scenes.  💡 Why This MattersPreviously, whitelisting an entity automatically deleted all related violations—a challenge for teams needing full audit trails or historical analysis.With this enhancement, you can:  Maintain compliance by preserving key violation data Support root cause and trend investigations Keep dashboards clean without losing visibility into past activity Balance data retention with operational efficiency   🔍 How It Works From Entity Whitelisting, select the entity you want to whitelist. Apply the Reduce Risk to Zero action. When prompted, choose whether to Delete or Retain Violations. If retained, the violations are hidden from SAC/SCC dashboards but remain accessible via Spotter or audit tools.  Note: Retained violations do not affect ongoing scoring or alert prioritization—they’re available for reference only. 🚀 Benefits Full audit trail preservation Cleaner dashboards, no data loss Improved compliance posture Greater flexibility for SOC workflows  📅 AvailabilityThis feature is part of the September R1 Release and is available now in your environment. 💬 We’d Love Your FeedbackDoes this new option make your whitelisting process smoother or more audit-friendly?Tell us in the comments below—your insights directly shape future platform improvements.