Integrating with Custom Threat Intelligence Databases

It is possible to integrate Kondukto with custom TI databases that might be used in an organization. To do so, the integration should be enabled under Integrations --> Threat Intelligence.

Once the integration is enabled, it becomes possible to feed Kondukto with threat intelligence data coming from a database through Kondukto's API.

The following information can be sent to Kondukto through API;

CVE ID: Required Description: Optional Observed in the wild: Optional Known exploit: Optional Publish date: Optional Risk Rating: Required (set as 0 by default)

An example is as follows;

{  
  "cve_id": "CVE-2018-14721", // required and must be unique  
  "description": "", // optional, default empty  
  "observed_in_the_wild": false, // optional, default false  
  "known_exploit": false, // optional, default false  
  "publish_date": "2023-08-16T19:05:01.000Z", // optional, it will current time if its sended null  
  "risk_rating": 2 // optional, default 0  
}

Threat Intelligence API Usage This documentation explains how to interact with the Threat Intelligence (TI) API, including how to list, create, update, and delete custom threat intelligence data. All data is maintained at the global level, and each TI entry is associated with a specific CVE.

When you create or update a TI entry for a CVE (e.g., CVE-2018-14721), this threat intelligence data will be visible across all findings related to that CVE.

Authentication

All API requests require an authentication token to be sent via the X-Cookie header

Header Example:

X-Cookie: {token}

The following operations can be carried out through the API;

Endpoints & Example Usage

  1. List All Threat Intelligence Entries

Returns all threat intelligence data available in the system.

Endpoint: {{API_BASE}}/api/v2/intelligence
Method: GET

Sample:

curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}'

  1. List Threat Intelligence Entries
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: GET

Sample:

curl --location 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'

  1. Create a Threat Intelligence Entry

Creates a new TI entry for a specific CVE. If a TI entry with the same cve_id already exists, it will be updated.

Endpoint: {{API_BASE}}/api/v2/intelligence
Method: POST

Sample:

curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}' \
--data '{
    "cve_id": "CVE-2018-14721",
    "description": "",
    "observed_in_the_wild": false,
    "known_exploit": false,
    "publish_date": "2023-08-16T19:05:01.000Z",
    "risk_rating": 2
}'
  1. Update a Threat Intelligence Entry

Updates an existing TI entry by CVE ID.

Endpoint: {{API_BASE}}/api/v2/intelligence/{{CVE_ID}}
Method: PATCH

Sample:

curl --location --request PATCH 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}' \
--data '{
    "cve_id": "CVE-2018-14722",
    "description": "Mitre Corporation has provided the following description: Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.",
    "observed_in_the_wild": false,
    "known_exploit": false,
    "publish_date": "2023-08-16T19:05:01.000Z",
    "risk_rating": 2
}'
  1. Delete a Threat Intelligence Entry
Endpoint: {{API_BASE}}/api/v2/intelligence/{{CVE_ID}}
Method: DELETE

Sample:

curl --location --request DELETE 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'

Data Model

All threat intelligence data is managed at the global level.

Each threat intelligence (TI) entry is linked to a unique CVE.

Once a TI record is created for a CVE (e.g., CVE-2018-14721), this information will be reflected in all findings associated with that CVE throughout the system.