Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The CISA Reports CDF consumes data provided by the CISA to notify organizations about threats that exist on the Internet.

The integration provides the following endpoint:

• CISA Reports - ingests reports from the xml source as well as related system objects.

The integration ingests the following system object types:

• Files
• Incidents
• Indicators
• Reports
• TTPs

The CISA Reports CDF replaces the US-CERT Reports CDF.  The US-CERT website was removed and its threat intelligence feed was migrated to the main CISA website.   This resulted in a naming update as well as an update to the endpoint utilized by the integration.   

Installation

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the OSINT option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   Verify SSL	When enabled, the integration will validate the host-provided SSL certificate.  This option is enabled by default.
   Parse Tags	Enable this option to automatically add tags to the report object.  This option is enabled by default.
   Parse for Selected Indicators	Select the indicator types to be parsed for reports.  Options include CVEs (default) MD5 Hashes (default) SHA-1 Hashes (default) SHA-256 Hashes (default) SHA-512 Hashes (default) IP Addresses (default) This parameter does not apply to parsed STIX files.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xml:base="https://www.cisa.gov/">
	<channel>
		<title>CISA Analysis Reports</title>
		<link>https://www.cisa.gov/</link>
		<description/>
		<language>en</language>
		<item>
			<title><a href="/news-events/analysis-reports/ar22-272a" hreflang="en">MAR-10365227-2.v1 </a></title>
            <link>https://www.cisa.gov/news-events/analysis-reports/ar22-272a</link> 
			<description>Original release date: October 31, 2019 ... </description>
			<pubDate>Thu, 31 Oct 2019 14:57:45 +0000</pubDate>
			<dc:creator>CISA</dc:creator>
			<guid isPermaLink="false">/node/9076</guid>
		</item>
		...
	</channel>
</rss>

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Change Log

• Version 2.0.4
  • Resolved a parsing issue with the RSS feed regarding the pubDate. 
• Version 2.0.3
  • Resolved a title parsing issue that was caused by a provider change to the <title> XML format.    
• Version 2.0.2
  • Updated the integration's endpoint based on website migration updates by the provider.  
  • Rebranded to integration from US-CERT Reports to CISA Reports.
• Version 2.0.1
  • Added the ability to parse Tags. 
  • Fixed an issue where the wrong TTP objects were parsed.   
• Version 2.0.0
  • Initial Release.  This endpoint used to be included in the US-CERT integration.  That integration has been deprecated and its endpoints split into four separate CDFs.