First EPSS Action
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 5.6.0 |
| ThreatQ TQO License Required | Yes |
| Support Tier | ThreatQ Supported |
Introduction
The First EPSS action submits a data collection containing CVE IOCs to First EPSS and returns enriched IOCs and relevant attributes.
The integration can perform the following action:
- First EPSS - Submits indicators to First EPSS API to be enriched with related threat intelligence.
The action is compatible with CVE indicator types.
The action returns enriched indicator and indicator attributes.
This action is intended for use with ThreatQ TDR Orchestrator (TQO). An active TQO license is required for this feature.
Prerequisites
- An active ThreatQ TDR Orchestrator (TQO) license.
- A data collection containing CVE indicator objects.
Installation
This action can be installed in the My Integration section of your ThreatQ instance. See the Installing an Action topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Actions option from the Category dropdown (optional).
- Click on the action entry to open its details page.
- Enter the following parameters under the Configuration tab:
The configurations set on this page will be used as the default settings when inserting this action into a new workflow. Updating the configurations on this page will not update any instances of this action that have already been deployed to a workflow. In that scenario, you must update the action’s configurations within the workflow itself.
Parameter Description Objects Per Run The max number of objects per run to send to this action. The max value for this parameter is 50,000. Date Select the date for which to pull data. The format is as follows: YYYY-MM-DD.
- Review any additional settings, make any changes if needed, and click on Save.
Actions
The integration provides the following action:
| Action | Description | Object Type | Object Subtype |
|---|---|---|---|
| First EPSS | Enriches IOCs using First EPSS API. | Indicators | CVE |
First EPSS
The First EPSS function enriches CVEs using the First EPSS API and returns indicators and indicator attributes.
GET https://api.first.org/data/v1/epss
Sample Response
{
"status": "OK",
"status-code": 200,
"version": "1.0",
"access": "public",
"total": 1,
"offset": 0,
"limit": 100,
"data": [
{
"cve": "CVE-2023-25193",
"epss": "0.008900000",
"percentile": "0.297670000",
"date": "2023-02-06"
}
]
}
ThreatQ provides the following default mapping for this workflow:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
.data[0].epss |
Indicator.Attribute | EPSS Score | .data[0].date |
0.008900000 |
The value is transformed in percentage |
.data[0].percentile |
Indicator.Attribute | EPSS Percentile | .data[0].date |
0.297670000 |
The value is transformed in percentage |
Enriched Data
Object counts and action runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and action runtime may vary based on system resources and load.
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicators | 150 |
| Indicator Attributes | 300 |
Known Issues / Limitations
- The attributes value will be based on the configuration parameter: Date. Example: if you select a date of 2023-01-01, the attributes values will be from that day.
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| First EPSS Action Guide v1.0.0 | 5.6.0 or Greater |