Skip to main content

NTT Cyber Threat Sensor

This Integration is part of the NTT Cyber Threat Sensor Pack.#

Retrieve alerts and recommendations from NTT CTS This integration was integrated and tested with version 1.0 of NTT Cyber Threat Sensor

Configure NTT Cyber Threat Sensor in Cortex#

ParameterDescriptionRequired
APIKEYThe API key for accessing CTS over AWSTrue
TENANT_IDTenant identification. UUID formatted stringTrue
DAYS_BACKDays to fetch for the first time this application runsTrue
ITEMS_TO_FETCHNumber of items to fetch each iteration (1 to 100)True
SOARTOKENThe unique key for accessing the alerts and active response recommendationsTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
BASEURLThe base URL for the backend to consume fromTrue

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ntt-cyber-threat-sensor-poll-blobs#


Check if blobs is available

Base Command#

ntt-cyber-threat-sensor-poll-blobs

Input#

Argument NameDescriptionRequired
event_idID of the incident from whom to fetch blobs forRequired
timestampISO timestamp for when alert was triggeredRequired

Context Output#

PathTypeDescription
CTS.FetchBlobbooleanTrue if there are blobs to fetch
CTS.Blob.IDstringID of the incident
CTS.Blob.Statusstringhold to wait and release to run

Command Example#

!ntt-cyber-threat-sensor-poll-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7 timestamp=2020-08-12T07:29:01.464841

Context Example#

{
"CTS": {
"Blobs": {
"ID": "07be6916957da6dc0b4c7fbf6995b1e44dccb9e7",
"Status": "release"
}
}
}

Human Readable Output#

CTS blob(s) was found and has been sceduled for download

ntt-cyber-threat-sensor-fetch-blobs#


Collecting blobs, most commonly pcap from an incident

Base Command#

ntt-cyber-threat-sensor-fetch-blobs

Input#

Argument NameDescriptionRequired
event_idID of the incident from whom to fetch blobs forRequired

Context Output#

PathTypeDescription
File.SizenumberThe size of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.NamestringThe name of the file.
File.SSDeepstringThe SSDeep hash of the file.
File.EntryIDstringThe entry ID of the file.
File.InfostringFile information.
File.TypestringThe file type.
File.MD5stringThe MD5 hash of the file.
File.ExtensionstringThe file extension.
CTS.HasBlobbooleanIf one or more blobs exist then True

Command Example#

!ntt-cyber-threat-sensor-fetch-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7

Context Example#

{
"CTS": {
"HasBlob": [
false,
true
]
},
"File": {
"EntryID": "226@b969e30d-f6de-490a-8f35-81a8939b5b97",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"MD5": "f6362d15102678983db75e7b764d973f",
"Name": "6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap",
"SHA1": "a031573de579dea138351bb6742887baf9a5bf5a",
"SHA256": "22cf474ab9be274078f4fc3796a7893f2bed9fe7920a921593ea43b8a4705a9f",
"SHA512": "a751c7b436755aea5d7bbe3bfd0bc2e5a1ff5ddf8aadd956b50df18acaba4a43d969105bf9d28b66f8d2f9dcd1add1c0f73a5c9e6ccb01f0e34924f52acebee8",
"SSDeep": "12288:90nf6/GBLS0c9s+txFd9Ri6KSIb9zK9RmnM:Of6/OYs+9kSaJKHmnM",
"Size": 567348,
"Type": "pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)"
}
}

Human Readable Output#

CTS blob(s) downloaded: ['6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap']