NTT Cyber Threat Sensor

Retrieve alerts and recommendations from NTT CTS This integration was integrated and tested with version 1.0 of NTT Cyber Threat Sensor

Configure NTT Cyber Threat Sensor on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for NTT Cyber Threat Sensor.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
APIKEYThe API key for accessing CTS over AWSTrue
TENANT_IDTenant identification. UUID formatted stringTrue
DAYS_BACKDays to fetch for the first time this application runsTrue
ITEMS_TO_FETCHNumber of items to fetch each iteration (1 to 100)True
SOARTOKENThe unique key for accessing the alerts and active response recommendationsTrue
isFetchFetch incidentsFalse
incidentTypeIncident typeFalse
BASEURLThe base URL for the backend to consume fromTrue
  1. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

ntt-cyber-threat-sensor-poll-blobs


Check if blobs is available

Base Command

ntt-cyber-threat-sensor-poll-blobs

Input

Argument NameDescriptionRequired
event_idID of the incident from whom to fetch blobs forRequired
timestampISO timestamp for when alert was triggeredRequired

Context Output

PathTypeDescription
CTS.FetchBlobbooleanTrue if there are blobs to fetch
CTS.Blob.IDstringID of the incident
CTS.Blob.Statusstringhold to wait and release to run

Command Example

!ntt-cyber-threat-sensor-poll-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7 timestamp=2020-08-12T07:29:01.464841

Context Example

{
"CTS": {
"Blobs": {
"ID": "07be6916957da6dc0b4c7fbf6995b1e44dccb9e7",
"Status": "release"
}
}
}

Human Readable Output

CTS blob(s) was found and has been sceduled for download

ntt-cyber-threat-sensor-fetch-blobs


Collecting blobs, most commonly pcap from an incident

Base Command

ntt-cyber-threat-sensor-fetch-blobs

Input

Argument NameDescriptionRequired
event_idID of the incident from whom to fetch blobs forRequired

Context Output

PathTypeDescription
File.SizenumberThe size of the file.
File.SHA1stringThe SHA1 hash of the file.
File.SHA256stringThe SHA256 hash of the file.
File.NamestringThe name of the file.
File.SSDeepstringThe SSDeep hash of the file.
File.EntryIDstringThe entry ID of the file.
File.InfostringFile information.
File.TypestringThe file type.
File.MD5stringThe MD5 hash of the file.
File.ExtensionstringThe file extension.
CTS.HasBlobbooleanIf one or more blobs exist then True

Command Example

!ntt-cyber-threat-sensor-fetch-blobs event_id=07be6916957da6dc0b4c7fbf6995b1e44dccb9e7

Context Example

{
"CTS": {
"HasBlob": [
false,
true
]
},
"File": {
"EntryID": "226@b969e30d-f6de-490a-8f35-81a8939b5b97",
"Extension": "pcap",
"Info": "application/vnd.tcpdump.pcap",
"MD5": "f6362d15102678983db75e7b764d973f",
"Name": "6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap",
"SHA1": "a031573de579dea138351bb6742887baf9a5bf5a",
"SHA256": "22cf474ab9be274078f4fc3796a7893f2bed9fe7920a921593ea43b8a4705a9f",
"SHA512": "a751c7b436755aea5d7bbe3bfd0bc2e5a1ff5ddf8aadd956b50df18acaba4a43d969105bf9d28b66f8d2f9dcd1add1c0f73a5c9e6ccb01f0e34924f52acebee8",
"SSDeep": "12288:90nf6/GBLS0c9s+txFd9Ri6KSIb9zK9RmnM:Of6/OYs+9kSaJKHmnM",
"Size": 567348,
"Type": "pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 65535)"
}
}

Human Readable Output

CTS blob(s) downloaded: ['6f5f0353-9ff6-4544-b6d9-1741a9842445.pcap']