NTT Cyber Threat Sensor
Retrieve alerts and recommendations from NTT CTS This integration was integrated and tested with version 1.0 of NTT Cyber Threat Sensor
Configure NTT Cyber Threat Sensor on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for NTT Cyber Threat Sensor.
- Click Add instance to create and configure a new integration instance.
Parameter | Description | Required |
---|---|---|
APIKEY | The API key for accessing CTS over AWS | True |
TENANT_ID | Tenant identification. UUID formatted string | True |
DAYS_BACK | Days to fetch for the first time this application runs | True |
ITEMS_TO_FETCH | Number of items to fetch each iteration (1 to 100) | True |
SOARTOKEN | The unique key for accessing the alerts and active response recommendations | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
BASEURL | The base URL for the backend to consume from | True |
- Click Test to validate the URLs, token, and connection.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
ntt-cyber-threat-sensor-poll-blobs
Check if blobs is available
Base Command
ntt-cyber-threat-sensor-poll-blobs
Input
Argument Name | Description | Required |
---|---|---|
event_id | ID of the incident from whom to fetch blobs for | Required |
timestamp | ISO timestamp for when alert was triggered | Required |
Context Output
Path | Type | Description |
---|---|---|
CTS.FetchBlob | boolean | True if there are blobs to fetch |
CTS.Blob.ID | string | ID of the incident |
CTS.Blob.Status | string | hold to wait and release to run |
Command Example
!ntt-cyber-threat-sensor-poll-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7 timestamp=2020-08-12T07:29:01.464841
Context Example
Human Readable Output
CTS blob(s) was found and has been sceduled for download
ntt-cyber-threat-sensor-fetch-blobs
Collecting blobs, most commonly pcap from an incident
Base Command
ntt-cyber-threat-sensor-fetch-blobs
Input
Argument Name | Description | Required |
---|---|---|
event_id | ID of the incident from whom to fetch blobs for | Required |
Context Output
Path | Type | Description |
---|---|---|
File.Size | number | The size of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Name | string | The name of the file. |
File.SSDeep | string | The SSDeep hash of the file. |
File.EntryID | string | The entry ID of the file. |
File.Info | string | File information. |
File.Type | string | The file type. |
File.MD5 | string | The MD5 hash of the file. |
File.Extension | string | The file extension. |
CTS.HasBlob | boolean | If one or more blobs exist then True |
Command Example
!ntt-cyber-threat-sensor-fetch-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7
Context Example
Human Readable Output
CTS blob(s) downloaded: ['6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap']