CTM360 CyberBlindSpot CDF
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Current Integration Version | 1.0.0 |
| Compatible with ThreatQ Versions | >= 4.58.1 |
| Support Tier | ThreatQ Supported |
Introduction
The CTM360 CyberBlindSpot CDF ingests incidents and related indicators of compromise from CTM360 CyberBlindSpot.
The integration provides the following feed:
- CTM360 CyberBlindSpot - ingests incidents with related indicators of compromise.
The integration ingests the following system objects:
- Events - type Incident
- Indicators - FQDNs and URLs
Prerequisites
The integration requires an API key for CTM360 CyberBlindSpot.
Installation
This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.
Configuration
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To configure the integration:
- Navigate to your integrations management page in ThreatQ.
- Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
- Click on the integration entry to open its details page.
- Enter the following parameters under the Configuration tab:
Parameter Description API Host Your CTM360 hostname without https://. API Key Your CTM360 API Key. Verify Host SSL Enable or disable server certificate validation. - Review any additional settings, make any changes if needed, and click on Save.
- Click on the toggle switch, located above the Additional Information section, to enable it.
ThreatQ Mapping
CTM360 CyberBlindSpot
The CTM360 CyberBlindSpot feed returns incidents and related IOCs (FQDN and URL).
GET https://cbs.ctm360.com/api/v2/incidents
Sample Response:
{
"statusCode": 200,
"success": true,
"message": "Success",
"incident_list": [
{
"id": "COMX414652011967",
"subject": "https://pastebin.com/grgCciX8",
"severity": "High",
"type": "Exposed Email Address",
"class": "URL",
"status": "Member Feedback",
"coa": "Takedown",
"remarks": "New Exposed Email Address with severity High found",
"created_date": "02-03-2023 04:35:36 PM",
"updated_date": "02-03-2023 04:35:36 PM",
"brand": "ISS Enterprise"
},
{
"id": "COMX417109338865",
"subject": "https://www.instagram.com/iss_elegant_enterprise",
"severity": "Low",
"type": "Brand Impersonation",
"class": "URL",
"status": "Under Analyst Review",
"coa": "Monitoring",
"remarks": "New Brand Impersonation with severity Low found",
"created_date": "02-03-2023 02:06:22 PM",
"updated_date": "02-03-2023 02:06:22 PM",
"brand": "ISS Enterprise"
}
]
}ThreatQuotient provides the following default mapping for this feed:
| Feed Data Path | ThreatQ Entity | ThreatQ Object Type or Attribute Key | Published Date | Examples | Notes |
|---|---|---|---|---|---|
| incident_list[].subject | Indicators | FQDN or URL | https://pastebin.com/5uQpwnff | N/A | |
| {{data.remarks}} ({{data.subject}}) | Event | event.title | New Exposed Email Address with severity High found (https://pastebin.com/5uQpwnff) | N/A | |
| incident_list[].id | Event Attributes | Incident ID | COMX412588498478 | N/A | |
| incident_list[].severity | Event Attributes | Severity | High | N/A | |
| incident_list[].brand | Event Attributes | Brand | ISS Enterprise | N/A | |
| incident_list[].status | Event Attributes | Status | Member Feedback | N/A | |
| incident_list[].type | Event Attributes | Type | Exposed Email Address | N/A | |
| incident_list[].coa | Indicator Attributes | Course of Action | Takedown | N/A |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | ThreatQ Version |
|---|---|
| CTM360 CyberBlindSpot CDF Guide v1.0.0 | 4.58.1 or Greater |