Current ThreatQ Version Filter
 

KPMG Digital Signals CDF

The web format of this guide reflects the most current release.  Guides for older iterations are available in PDF format.  

Integration Details

ThreatQuotient provides the following details for this integration:

Introduction

The KPMG Digital Signals CDF enables security analysts to automatically ingest leaked credentials and email breach data sourced from the deep and dark webs, providing enhanced visibility into potential exposure and supporting proactive threat detection efforts.

The integration provides the following feeds:

  • KPMG Digital Signals - Credential Leaks - ingests credential leaks discovered across the deep and dark webs.
  • KPMG Digital Signals - Email Intelligence - ingests breach information for email exposed discovered across the deep and dark webs.

The integration ingests the following object types:

  • Identities
    • Identity Attributes
  • Indicators
    • Indicator Attributes
  • Reports
    • Report Attributes

Prerequisites

The integration requires to the following:

  • A KPMG Digital Signals API Key.
  • A Gateway IP whitelisted by KPMG Digital Signals. 

Installation

Perform the following steps to install the integration:

The same steps can be used to upgrade the integration to a new version.

  1. Log into https://marketplace.threatq.com/.
  2. Locate and download the integration yaml file.
  3. Navigate to the integrations management page on your ThreatQ instance.
  4. Click on the Add New Integration button.
  5. Upload the integration yaml file using one of the following methods:
    • Drag and drop the file into the dialog box
    • Select Click to Browse to locate the file on your local machine
  6. Select the individual feeds to install, when prompted and click Install.

    ThreatQ will inform you if the feed already exists on the platform and will require user confirmation before proceeding. ThreatQ will also inform you if the new version of the feed contains changes to the user configuration. The new user configurations will overwrite the existing ones for the feed and will require user confirmation before proceeding.

The feed(s) will be added to the integrations page. You will still need to configure and then enable the feed.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

  1. Navigate to your integrations management page in ThreatQ.
  2. Select the Commercial option from the Category dropdown (optional).

    If you are installing the integration for the first time, it will be located under the Disabled tab.

  3. Click on the integration entry to open its details page.
  4. Enter the following parameters under the Configuration tab:

    Credential Leaks Parameters

    Parameter Description
    API Key Enter your KPMG Digital Signals API Key.
    Enable SSL Certificate Verification Enable this parameter if the feed should validate the host-provided SSL certificate. 
    Disable Proxies Enable this parameter if the feed should not honor proxies set in the ThreatQ UI.
    User ThreatQ Object Type Select the entity type to ingest users as in ThreatQ. Options include:
    • Identity (default)
    • Indicator (Email Address)
    Context Filter Select the pieces of context to ingest with each user. Options include:
    • Password Type (default)
    • Scan Date (default)
    • Is False Positive (default)
    • Status Of Reporting
    • Source File Name

    Credential Leaks Configuration Screen

    Email Intelligence Parameters

    Parameter Description
    API Key Enter your KPMG Digital Signals API Key.
    Enable SSL Certificate Verification Enable this parameter if the feed should validate the host-provided SSL certificate. 
    Disable Proxies Enable this parameter if the feed should not honor proxies set in the ThreatQ UI.
    User ThreatQ Object Type Select the entity type to ingest users as in ThreatQ. Options include:
    • Identity (default)
    • Indicator (Email Address)
    Context Filter Select the pieces of context to ingest with each breach. Options include:
    • Breached Data Type (default)
    • Is Verified (default)
    • Is False Positive (default)
    • Scan Date (default)
    • Status Of Reporting

    Email Intelligence Configuration Screen
     
  5. Review any additional settings, make any changes if needed, and click on Save.
  6. Click on the toggle switch, located above the Additional Information section, to enable it.

ThreatQ Mapping

KPMG Digital Signals - Credential Leaks

The KPMG Digital Signals - Credential Leaks feed periodically ingests credential leaks discovered across deep and dark webs.

GET https://selfscan.digitalsignals.kpmg.com:5055/api/credleaks/

Sample Response:

{
  "data": [
    {
      "user": "test@threatq.com",
      "password_type": "plaintext",
      "short_source": "darkweb",
      "date": "2025-11-11T00:00:00Z",
      "scan_date": "2025-11-12T00:00:00Z",
      "is_false_positive": false,
      "reported_status": "done"
    }
  ]
}

ThreatQuotient provides the following default mapping for this feed based on each entry from .data[]:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.user Identity/Indicator.Value Identity/Email Address .date test@threatq.com Ingested according to User ThreatQ Object Type
.password_type Identity/Indicator.Attribute Password Type .date plaintext User-configurable
.short_source Identity/Indicator.Attribute Source File Name .date darkweb User-configurable
.scan_date Identity/Indicator.Attribute Scan Date .date 2025-11-12T00:00:00Z User-configurable. Updatable.
.is_false_positive Identity/Indicator.Attribute Is False Positive .date False User-configurable. Updatable. Converted to string.
.reported_status Identity/Indicator.Attribute Status Of Reporting .date done User-configurable. Updatable.

KPMG Digital Signals - Email Intelligence

The KPMG Digital Signals - Email Intelligence feed periodically ingests breach information for email exposed discovered across deep and dark webs.

GET https://selfscan.digitalsignals.kpmg.com:5055/api/emailintel/

Sample Response:

{
  "data": [
    {
      "email": "cheryl.schwerin@victoriassecret.com",
      "breaches": [
        {
          "breached_email": "cheryl.schwerin@victoriassecret.com",
          "breach_info": true,
          "breach_name": "Exactis",
          "breach_date": "2018-06-01",
          "breached_data": [
            "Credit status information",
            "Dates of birth"
          ],
          "is_verified": true,
          "is_false_positive": false,
          "reported_status": "unreported",
          "scan_date": "2025-09-12"
        }
      ]
    }
  ]
}

ThreatQuotient provides the following default mapping for this feed based on each entry from .data[].breaches[] if .data.breaches[].breach_info is enabled from the configuration page:

Feed Data Path ThreatQ Entity ThreatQ Object Type or Attribute Key Published Date Examples Notes
.breached_email Identity/Indicator.Value Identity/Email Address N/A cheryl.schwerin@victoriassecret.com Ingested according to User ThreatQ Object Type
.breach_name Related Report.Value Report breach_date Exactis N/A
.breached_data Related Report.Attribute Breached Data Type breach_date Credit status information User-configurable
.is_verified Related Report.Attribute Is Verified breach_date False User-configurable. Updatable. Converted to string.
.is_false_positive Related Report.Attribute Is False Positive breach_date False User-configurable. Updatable. Converted to string.
.scan_date Related Report.Attribute Scan Date breach_date 2025-11-12T00:00:00Z User-configurable. Updatable.
.reported_status Related Report.Attribute Status Of Reporting breach_date unreported User-configurable. Updatable.

Average Feed Run

Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.

KPMG Digital Signals - Credential Leaks

Metric Result
Run Time 1 minute
Indicators 3
Indicator Attributes 15

KPMG Digital Signals - Email Intelligence

Metric Result
Run Time 1 minute
Indicators 3
Report 6
Report Attributes 40

Known Issues / Limitations

  • The KPMG Digital Signals - Email Intelligence feed utilizes since and until dates to to filter data breaches based on .breaches[].scan_date. To ingest historical data breaches, run the feed manually by setting the since date back. 

Change Log

  • Version 1.0.0
    • Initial release

PDF Guides

Document ThreatQ Version
KPMG Digital Signals CDF v1.0.0 5.29.0 or Greater