NTT Cyber Threat Sensor
NTT Cyber Threat Sensor Pack.#
This Integration is part of theRetrieve alerts and recommendations from NTT CTS This integration was integrated and tested with version 1.0 of NTT Cyber Threat Sensor
#
Configure NTT Cyber Threat Sensor in CortexParameter | Description | Required |
---|---|---|
APIKEY | The API key for accessing CTS over AWS | True |
TENANT_ID | Tenant identification. UUID formatted string | True |
DAYS_BACK | Days to fetch for the first time this application runs | True |
ITEMS_TO_FETCH | Number of items to fetch each iteration (1 to 100) | True |
SOARTOKEN | The unique key for accessing the alerts and active response recommendations | True |
isFetch | Fetch incidents | False |
incidentType | Incident type | False |
BASEURL | The base URL for the backend to consume from | True |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
ntt-cyber-threat-sensor-poll-blobsCheck if blobs is available
#
Base Commandntt-cyber-threat-sensor-poll-blobs
#
InputArgument Name | Description | Required |
---|---|---|
event_id | ID of the incident from whom to fetch blobs for | Required |
timestamp | ISO timestamp for when alert was triggered | Required |
#
Context OutputPath | Type | Description |
---|---|---|
CTS.FetchBlob | boolean | True if there are blobs to fetch |
CTS.Blob.ID | string | ID of the incident |
CTS.Blob.Status | string | hold to wait and release to run |
#
Command Example!ntt-cyber-threat-sensor-poll-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7 timestamp=2020-08-12T07:29:01.464841
#
Context Example#
Human Readable OutputCTS blob(s) was found and has been sceduled for download
#
ntt-cyber-threat-sensor-fetch-blobsCollecting blobs, most commonly pcap from an incident
#
Base Commandntt-cyber-threat-sensor-fetch-blobs
#
InputArgument Name | Description | Required |
---|---|---|
event_id | ID of the incident from whom to fetch blobs for | Required |
#
Context OutputPath | Type | Description |
---|---|---|
File.Size | number | The size of the file. |
File.SHA1 | string | The SHA1 hash of the file. |
File.SHA256 | string | The SHA256 hash of the file. |
File.Name | string | The name of the file. |
File.SSDeep | string | The SSDeep hash of the file. |
File.EntryID | string | The entry ID of the file. |
File.Info | string | File information. |
File.Type | string | The file type. |
File.MD5 | string | The MD5 hash of the file. |
File.Extension | string | The file extension. |
CTS.HasBlob | boolean | If one or more blobs exist then True |
#
Command Example!ntt-cyber-threat-sensor-fetch-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7
#
Context Example#
Human Readable OutputCTS blob(s) downloaded: ['6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap']