Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The Flashpoint Ignite Compromised Accounts CDF integration for ThreatQ enables the automatic ingestion of an organization's compromised credentials into ThreatQ. Ultimately, tracking the accounts to link them to internal incidents as well as mitigating potential future breaches.

The integration provides the following feed:

• Flashpoint Ignite Compromised Accounts - ingests Compromised Accounts as the main object and Events as related objects.

The integration ingests the following system objects:

• Compromised Account (custom object)
• Events
• Malware

Prerequisites

Review the requirements below before attempting to install the CDF.  

Compromised Account Custom Object

The integration requires the Compromised Account custom object.

For export purposes, the system name for Compromised Account objects is account.  

When installing the custom objects, be aware that any in-progress feed runs will be cancelled, and the API will be in maintenance mode.

Installation

The CDF requires the installation of the Compromised Account custom object before installing the actual CDF.  See the Prerequisites chapter for more details.  The custom object must be installed prior to installing the CDF.  Attempting to install the CDF without the custom object will cause the CDF install process to fail.   

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

1. Log into https://marketplace.threatq.com/.
2. Locate and download the integration zip file.
3. Extract the files and install the Compromised Account custom object.
4. Navigate to the integrations management page on your ThreatQ instance.
5. Click on the Add New Integration button.
6. Upload the yaml file using one of the following methods:
   • Drag and drop the file into the dialog box
   • Select Click to Browse to locate the file on your local machine

   ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

7. The feed will be added to the integrations page.  You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

1. Navigate to your integrations management page in ThreatQ.
2. Select the Commercial option from the Category dropdown (optional).

   If you are installing the integration for the first time, it will be located under the Disabled tab.

3. Click on the integration entry to open its details page.
4. Enter the following parameters under the Configuration tab:

   Parameter	Description
   API Key	Your Flashpoint API Key
   Excluded Domains	A comma-separated list of domains to exclude from search results.
   Hide Compromised Passwords	Enable/disable the ingestion of the compromised account passwords.
   Ingested Context	Select which pieces of context you want brought in with the alerts.  Options include: Breach Source Breach Source Type Breach Type Affected Domain  Affected Email Is Fresh Flag Seen Count Raw Credentials Breached Password Matched Queries First Observed At
   Ingest Account Objects	Enable/disable the creation of Compromised Account objects for the affected accounts related to the breach.
   Account Context	Select which pieces of context to ingest with the compromised account. Options include: Breached Password (default) Affected Domain (default) First Observed At (default) Flashpoint URL (default) Installed Software (default) Additional Extracted Metadata (default) Infection Data (default) Machine Information (default) ISP (default)
   Relate Malware to the Account	Enable this parameter to relate Malware objects for the affected accounts. This parameter is enabled by default.
   Enable SSL Certificate Verification	Enable this parameter for the feed to validate the host-provided SSL certificate.
   Disable Proxies	Enable this option if the feed should not honor proxies set in the ThreatQ UI.

   
   
5. Review any additional settings, make any changes if needed, and click on Save.
6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

{
    "hits": {
        "hits": [
            {
                "_id": "EMX6QiiPW-ay8-5d732GqB",
                "_source": {
                    "basetypes": [
                        "credential-sighting"
                    ],
                    "body": {
                        "raw": "someone@threatq.com:<some password>"
                    },
                    "breach": {
                        "_header": {},
                        "basetypes": [
                            "breach"
                        ],
                        "breach_type": "credential",
                        "created_at": {
                            "date-time": "2021-06-25T23:57:31Z",
                            "timestamp": 1624665451
                        },
                        "first_observed_at": {
                            "date-time": "2021-06-25T23:57:31Z",
                            "timestamp": 1624665451
                        },
                        "fpid": "ESiczBZVW0Kx3Fxpybfd4B",
                        "published_at_ts": "2021-06-25 23:57:31",
                        "source": "https://www.virustotal.com/gui/file/bd5e65fecff172bce63fb054c85953f93e63baf863456e571df4dfe52da85d3b/details",
                        "source_type": "VirusTotal",
                        "title": "Compromised Users from VirusTotal: Compressed File \"bd5e65fecff172bce63fb054c85953f93e63baf863456e571df4dfe52da85d3b\" Jun252021"
                    },
                    "credential_record_fpid": "iCb5b0mfXvqk0QVJnL6jTw",
                    "customer_id": "0013l00002MH03tAAD",
                    "domain": "threatq.com",
                    "email": "someone@threatq.com",
                    "extraction_id": "DxEdSTXwWR6ouuZc3e7veA",
                    "extraction_record_id": "zEv0ARXyVVuMUEUkDcLzTA",
                    "fpid": "EMX6QiiPW-ay8-5d732GqA",
                    "header_": {
                        "indexed_at": 1625842497,
                        "pipeline_duration": 63793061697
                    },
                    "is_fresh": false,
                    "last_observed_at": {
                        "date-time": "2021-06-25T23:57:31Z",
                        "timestamp": 1624665451
                    },
                    "last_observed_at_ts": "2021-06-25 23:57:31",
                    "password": "<some password>",
                    "password_complexity": {
                        "has_lowercase": true,
                        "has_number": true,
                        "has_symbol": false,
                        "has_uppercase": false,
                        "length": 6
                    },
                    "published_at_ts": "2021-06-25 23:57:31",
                    "times_seen": 1
                },
                "_type": "_doc",
                "matched_queries": [
                    "dat.edm.org.r"
                ]
            }
        ],
        "max_score": null,
        "total": 1
    },
    "timed_out": false,
    "took": 18
}

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

Known Issues / Limitations

• Due to "lag time" between when a breach is first observed and when the entry appears on the Flashpoint API, we now back-date the feed's last run time by 12 hours. This is to account for that "lag time". It may cause some alerts to be re-ingested, but they will be de-duplicated, so there shouldn't be any concerns.
• For consecutive runs at an interval of 1 minute, we can receive 429 and we recommend waiting 3 or 5 minutes and then repeating.

Change Log

• Version 1.1.2
  • Added the option to ingest Host Data.
  • Added the following configuration parameters:
    • Account Context - select which pieces of context to ingest with the compromised account.
    • Relate Malware to the Account - relate Malware objects for the affected accounts.
• Version 1.1.1
  • The feed now correctly ingests the Affected Domain attribute from Flashpoint.
  • Added a rule to update Is Fresh and Is Fresh attributes if it already exists in the ThreatQ platform.      
  • Added new configuration parameters: Enable SSL Verification and Disable Proxies.  
  • Added two new known limitation entries regarding lag times and consecutive runs.
  • Updated the text for the Exclude Domains configuration parameter field.
• Version 1.1.0
  • The integration now uses the Flashpoint Ignite Compromised Accounts endpoint.
  • Updated the name of integration to Flashpoint Ignite Compromised Accounts. 
  • Updated the minimum ThreatQ version to 5.10.0
• Version 1.0.1
  • Fixed an issue with lag time between when a breach was first observed and when the entry appeared in the Flashpoint API. 
  • Updated the support tier for the integration from Not Actively Supported to ThreatQ Supported.   
• Version 1.0.0
  • Initial release