Tégo Cyber, or simply, Tego, is a Cyber Threat Intelligence tool that SecOps teams use in-line of Amazon Security Lake and Splunk ES for enrichment based on IOCs. That allows customers to directly search for IOCs (Domains, Hashes, IPs, URLs) to harvest Open Source Intelligence (OSINT) and also, Tego’s own Cyber Threat Intelligence (CTI) for any given IOC.

Query uses the available Tego Threat Feed API Endpoints to shape the returned data into Vulnerability and Threat Intelligence objects to provide rich OSINT & CTI.

Query calls Tego’s APIs to provide analysts with more context on IOCs like file hashes, URLs, Domains, and IPv4 Addresses. When querying for an IP, Hash, Domain, or hostname borne from another incident or as part of hunting, analysts can receive the Tego CTI & OSINT payload which includes reputation, geolocation, reverse DNS, and comments from other analysts, depending on the type of IOC. 

The integration will normalize data pulled from Tego into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. See our integration documentation here. With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with. QDM extracts and maps the data into the following objects (also provided are some key attributes provided by Tego that analysts look for during an investigation):

  • Ip_intelligence:
    • IP geo-location information
    • ASN, owner, and ISP  information
    • reputation score and provider information
  • Domain_intelligence and url_intelligence:
    • creation date and registrar and owner information
  • Threat_intelligence
    • file hash intelligence, source, reputation
  • Reputation:
    • score and provider

Depending on the other integrations in your Query instance, analysts can find:

  • File, process, and device information.
  • Who is the user of the device and what is their role.
  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
  • Relevant follow up searches to get vulnerability and malware information associated with related entities.