ciscosecurity/tr-05-cyberprotect

By ciscosecurity

Updated about 2 years ago

Threatscore | Cyberprotect Relay (Cisco Hosted)

Image

4.0K

V 2.0.6

Improvements

  • Changed Cyberprotect host
  • Updated Pipfile.lock

V 2.0.5

Improvements

  • Remove traceback from logs in case of 404 error

V 2.0.4

Improvements

  • Add traceback to log file

V 2.0.3

Improvements

  • Remove unused endpoints

V 2.0.2

Improvements

  • Update dependencies management

V 2.0.1

Improvements

  • Add Jenkinsfile
  • Alpine & Python version update
  • Update tips

V 2.0.0

Implementation Details

Implemented Relay Endpoints
  • POST /health

    • Checks that the service is available at the moment.
  • POST /deliberate/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Verdict.
  • POST /observe/observables

    • Accepts a list of observables and filters out unsupported ones.
    • Makes a series of requests to the underlying external service to query for some cyber threat intelligence data on each supported observable.
    • Maps the fetched data into appropriate CTIM entities.
    • Returns a list per each of the following CTIM entities (if any extracted):
      • Verdict,
      • Judgement.
  • POST /version

    • Returns the current version of the application.
Supported Types of Observables
  • ip
  • ipv6
  • domain

CTIM Mapping Specifics

Each response from the Threatscore Cyberprotect API for the supported observables generates the following CTIM entities:

  • Verdict is based on .scores[]
  • Judgement is based on .scores[].details[].

Docker Pull Command

docker pull ciscosecurity/tr-05-cyberprotect