Current ThreatQ Version Filter

First EPSS CDF

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.1

Compatible with ThreatQ Versions

>= 4.45.0

Support Tier

ThreatQ Supported

Introduction

The First EPSS CDF for ThreatQ enables analysts to automatically ingest the EPSS (Exploit Prediction Scoring System) scores and the EPSS percentiles for a list of CVEs. The EPSS score represents the probability [0-1] of exploitation in the wild in the next 30 days. The percentile of the score represents the proportion of all scored vulnerabilities with the same or a lower EPSS score. The EPSS score and percentile are computed by FIRST, the global Forum of Incident Response and Security Teams.

The integration provides the following feeds:

First EPSS Scores - ingests the EPSS scores and percentiles for a list of given CVEs.

The integration ingests indicators and indicator attributes.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the OSINT option from the Category dropdown (optional).
If you are installing the integration for the first time, it will be located under the Disabled tab.
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
A List of Comma-separated CVEs	The CVEs for which the EPSS score and percentile should be ingested.
Date	Set the date to from which to ingest the scores and percentiles. If this value is empty, the most recent values are ingested. The format should be as follows: `yyyy-mm-dd`
Minimum EPSS Score	Optional - Enter the minimum EPSS score to ingest the CVE. Only CVEs with the minimum score or greater will be ingested.
Minimum EPSS Percentile	Optional - Enter the minimum EPSS percentile to ingest the CVE. Only CVEs with the minimum percentile or greater will be ingested.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

First EPSS Scores

The First EPSS Scores feed ingests the EPSS scores and the corresponding percentiles for a list of given CVEs. It is mandatory to provide the list, because only the specified CVEs the scores will be ingested.

GET https://api.first.org/data/v1/epss?cve=CVE-2022-26332,CVE-2022-26315,CVE-2022-26181&offset=0

Sample Response:

{
    "status": "OK",
    "status-code": 200,
    "version": "1.0",
    "access": "public",
    "total": 3,
    "offset": 0,
    "limit": 100,
    "data": [
        {
            "cve": "CVE-2022-26332",
            "epss": "0.000720000",
            "percentile": "0.294870000",
            "date": "2023-04-09"
        },
        {
            "cve": "CVE-2022-26315",
            "epss": "0.000860000",
            "percentile": "0.349110000",
            "date": "2023-04-09"
        },
        {
            "cve": "CVE-2022-26181",
            "epss": "0.000560000",
            "percentile": "0.215250000",
            "date": "2023-04-09"
        }
    ]
}

ThreatQuotient provides the following default mapping for this feed:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
.data[].cve	Indicator.Value	N/A	.data[].date	CVE-2022-26332	N/A
.data[].epss	Indicator.Attribute	EPSS Score	.data[].date	0.000720000	The value is converted into a percentage.
.data[].percentile	Indicator.Attribute	EPSS Score Percentile	.data[].date	29.487	The value is converted into a percentage.

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Metric	Result
Run Time	1 minute
Indicators	3
Indicator Attributes	6

Change Log

Version 1.0.1
- Updated the attributes ingested to be displayed as percentages.
Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
First EPSS CDF Guide v1.0.1	4.45 or Greater
First EPSS CDF Guide v1.0.0	4.45 or Greater