Current ThreatQ Version Filter

Cyjax CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.42.0

Support Tier

ThreatQ Supported

Introduction

The Cyjax CDF allows users to ingest incident reports and indicators of compromise from incidents and honeypots.

This integration provides two feeds:

Cyjax Indicators of Compromise - retrieves information about IOC. Indicators come in multiple forms, including files (hashes), IP addresses, domains, and URLs.
Cyjax Incident Reports - retrieves incident reports written by Cyjax analysts.

The integration ingests the following system objects:

Indicators
- Indicator Attributes
Reports
- Report Attributes
TTPs

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Commercial option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.

Enter the following parameter under the Configuration tab:

Parameter	Description
Access Token	The API Access Token Credential

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

Cyjax Indicators of Compromise

The Indicators of Compromise API allows you to retrieve information about IOC. Indicators come in multiple forms, including files (hashes), IP addresses, domains, and URLs. They are collected from multiple sources, including past incidents and honeypots.

The Access token User Field is required for the feed endpoint.

GET https://api.cyberportal.co/indicator-of-compromise

Sample Response:

[
    {
        "type": "FileHash-SHA1",
        "value": "23873bf2670cf64c2440058130548d4e4da412dd",
        "industry_type": [
            "Financial",
            "Telecommunication"
        ],
        "handling_condition": "GREEN",
        "discovered_at": "2020-10-27T10:57:52+0000",
        "description": "WellMess malware analysis report",
        "source": "https://cymon.co/report/incident/view?id=69077"
    },
    {
        "type": "IPv4",
        "value": "176.119.29.37",
        "industry_type": [
            "Government",
            "Infrastructure",
            "healthcare",
            "pharmaceutical",
            "IT",
            "Politics",
            "Media",
            "NGO",
            "Education"
        ],
        "handling_condition": "GREEN",
        "discovered_at": "2020-10-27T10:57:52+0000",
        "description": "WellMess malware analysis report",
        "source": "https://cymon.co/report/incident/view?id=69077"
    },
    {
        "type": "FileHash-MD5",
        "value": "d1fb179527218836f3326c3219a3db5f",
        "industry_type": [
            "Government",
            "Infrastructure",
            "healthcare",
            "pharmaceutical",
            "IT",
            "Politics",
            "Media",
            "NGO",
            "Education"
        ],
        "handling_condition": "GREEN",
        "discovered_at": "2020-10-27T10:57:52+0000",
        "description": "WellMess malware analysis report",
        "source": "https://cymon.co/report/incident/view?id=69077"
    }
]

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Examples	Notes
results[].type	indicator	type	SHA-256	Indicator type mapped to ThreatQ type.
.results[].value	indicator	value	391a8a9969cd5ab 94d0772998b97ba b5d82b44a692391 85e421fcb1560b6e f54
.results[].description	indicator	description	WellMess malware analysis report
.results[].handling_condition	indicator.attribute	Handling Condition	GREEN
.results[].source	indicator.attribute	Source	https://cymon.co/report/incident/view?id=69077	The link to the incident report.
.results[].industry_type	indicator.attribute	Industry type	Financial
.results[].discovered_at	indicator.attribute	Discovered at	2021-01-14 12:36:09-00:00
.results[].type	indicator.attribute	Cyjax IOC type	FileHash-SHA256	Cyjax indicator type.

Cyjax Incident Reports

The incident reports resource allows you to retrieve incident reports written by Cyjax analysts.

The Access token User Field is required to set the feed endpoint.

GET https://api.cyberportal.co/report/incident

Sample Response:

[
    {
        "id": 69078,
        "title": "Amazon fires employees for leaking customer data to unaffiliated third party",
        "content": "
          Amazon has sent out an email to customers telling them that it has recently fired employees responsible for leaking customer data to an unaffiliated third-party. This was in violation of company policies. Only those believed to have been affected have been contacted.
          \r\n
          The company claims that only user email addresses and phone numbers were exposed in this incident, and no other information related to the account was shared. It is currently unclear how many customers have been affected, and whether only UK customers were victims, or if it affected users worldwide.
          \r\n
          Analyst comment: A similar incident to this occurred in January 2020, when Amazon-owned Ring fired multiple employees for improperly accessing customer video data. Corporate espionage is a common threat that can be difficult to mitigate, as it can be caused by a number of factors: scorned employees, monetary gain, or even simple human error. These types of risks can never be completely avoided, but systems can be put in place to control them.",
        "source": "https://www.vice.com/en/article/dy8zwz/amazon-fired-employee-leaking-customer-emails",
        "last_update": "2020-10-27T11:42:55+0000",
        "severity": "low",
        "source_evaluation": "always-reliable",
        "impacts": {
            "others": "minimal-impact",
            "retail": "minimal-impact"
        },
        "tags": [
            "Amazon",
            "Corporate espionage",
            "email address",
            "EMEA",
            "Europe",
            "global",
            "inside threat",
            "Leaks",
            "phone number",
            "UK",
            "unauthorised access"
        ],
        "countries": [
            "United Kingdom"
        ],
        "techniques": [],
        "software": [],
        "ioc": [],
        "ioc_count": 0
    }
]

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Examples	Notes
results[].title	Report	N/A	Amazon fires employees for leaking customer data to unaffiliated third party
.results[].content	Report.Description	N/A	Report description.
.results[].published_at	Report.published_at	N/A	2021-01-14 12:36:09-00:00
.results[].severity	Report.Attribute	Severity	Medium
.results[].source	Report.Attribute	Source	https://some-website.com	The incident report source.
.results[].source_evaluation	Report.Attribute	Source evaluation	Always reliable
.results[].impacts	Report.Attribute	Impact	Others: Minimal Impact
.results[].countries	Report.Attribute	Country	Germany, Portugal
.results[].tags	Report.Attribute	Tag	Politics
.results[].techniques	Related TTP	N/A	Right-to-Left Override
.results[].software	Related TTP	N/A	Hi-Zor"
.results[].ioc[].type	Related Indicator.Type	See IOC Mapping table	SHA-256	Indicator type mapped to ThreatQ type
.results[].ioc[].value	Related Indicator	N/A	391a8a9969cd5ab94d0772998 b97bab5d82b44a69239185e42 1fcb1560b6ef54
.results[].ioc[].description	Related Indicator.Description	N/A	WellMess malware analysis report
.results[].ioc[].handling_condition	Related Indicator.Attribute	Handling Condition	GREEN
.results[].ioc[].source	Related Indicator.Attribute	Source	https://cymon.co/report/ incident/view?id=69077	The link to the incident report.
.results[].ioc[].industry_type	Related Indicator.Attribute	Industry type	Financial
.results[].ioc[].discovered_at	Related Indicator.Attribute	Discovered at	2021-01-14 12:36:09-00:00
.results[].ioc[].type	Related Indicator.Attribute	Cyjax IOC type	FileHash-SHA256	Cyjax indicator type.

IOC Mapping

The following table shows how IoCs from Cyjax are mapped to ThreatQ Indicator Types.

Cyjax Type	Threat Indicator Type
IPv4	IP Address
IPv6	IPv6 Address
URL	URL
Email	Email Address
Hostname	FQDN
Domain	FQDN
FileHash-SHA1	SHA-1
FileHash-SHA256	SHA-256
FileHash-MD5	MD5
FileHash-SSDEEP	Fuzzy Hash

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Cyjax Indicators of Compromise

Metric	Result
Run Time	2 minutes
Indicators	234
Indicator Attributes	2,192

Cyjax Incident Reports

Run Time	2 minutes
Indicators	789
Indicator Attributes	7,290
Reports	34
Report Attributes	928
TTPs	104

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Cyjax CDF Guide v1.0.0	4.42.0 or Greater