The ArcSight Exports CDF for ThreatQuotient enables ThreatQ to automatically export suspicious or malicious IOCs to ArcSight Active Lists. Rules can then be created to generate cases based on matches on the threat intelligence.

The integration provides the following feeds:

• ArcSight MITRE ATT&CK Export (Feed) - exports MITRE ATT&CK Attack Patterns from ThreatQ to the MITRE ATT&CK Active List within ArcSight. This will ensure that your MITRE ATT&CK information within ArcSight is always up-to-date with the latest MITRE changes.
• ArcSight Suspicious Addresses Export - exports IP Addresses from ThreatQ to the Suspicious Addresses Active List within ArcSight.
• ArcSight Suspicious Domain Export - exports FQDNs from ThreatQ to the Suspicious Domain Active List within ArcSight.
• ArcSight Suspicious URL Export - exports URLs from ThreatQ to the Suspicious URL Active List within ArcSight.
• ArcSight Suspicious Hash Export - exports MD5s, SHA-1s, SHA-256s, SHA-512s, and Fuzzy Hashes from ThreatQ to the Suspicious Hash Active List within ArcSight.
• ArcSight Suspicious Email Export - exports Email Addresses from ThreatQ to the Suspicious Email Active List within ArcSight.

External data is not ingested into ThreatQ when this feed finishes its run. Instead, a single report will be created, detailing the successfulness of the feed-run. An analyst can use this data to curate their data better, or be alerted when there are issues with the export.