Integrating with Custom Threat Intelligence Databases
It is possible to integrate Kondukto with custom TI databases that might be used in an organization. To do so, the integration should be enabled under Integrations --> Threat Intelligence.
Once the integration is enabled, it becomes possible to feed Kondukto with threat intelligence data coming from a database through Kondukto's API.
The following information can be sent to Kondukto through API;
CVE ID: Required Description: Optional Observed in the wild: Optional Known exploit: Optional Publish date: Optional Risk Rating: Required (set as 0 by default)
An example is as follows;
{
"cve_id": "CVE-2018-14721", // required and must be unique
"description": "", // optional, default empty
"observed_in_the_wild": false, // optional, default false
"known_exploit": false, // optional, default false
"publish_date": "2023-08-16T19:05:01.000Z", // optional, it will current time if its sended null
"risk_rating": 2 // optional, default 0
}
Threat Intelligence API Usage This documentation explains how to interact with the Threat Intelligence (TI) API, including how to list, create, update, and delete custom threat intelligence data. All data is maintained at the global level, and each TI entry is associated with a specific CVE.
When you create or update a TI entry for a CVE (e.g., CVE-2018-14721), this threat intelligence data will be visible across all findings related to that CVE.
Authentication
All API requests require an authentication token to be sent via the X-Cookie header
Header Example:
X-Cookie: {token}
The following operations can be carried out through the API;
Endpoints & Example Usage
- List All Threat Intelligence Entries
Returns all threat intelligence data available in the system.
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: GET
Sample:
curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}'
- List Threat Intelligence Entries
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: GET
Sample:
curl --location 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'
- Create a Threat Intelligence Entry
Creates a new TI entry for a specific CVE. If a TI entry with the same cve_id already exists, it will be updated.
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: POST
Sample:
curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}' \
--data '{
"cve_id": "CVE-2018-14721",
"description": "",
"observed_in_the_wild": false,
"known_exploit": false,
"publish_date": "2023-08-16T19:05:01.000Z",
"risk_rating": 2
}'
- Update a Threat Intelligence Entry
Updates an existing TI entry by CVE ID.
Endpoint: {{API_BASE}}/api/v2/intelligence/{{CVE_ID}}
Method: PATCH
Sample:
curl --location --request PATCH 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}' \
--data '{
"cve_id": "CVE-2018-14722",
"description": "Mitre Corporation has provided the following description: Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.",
"observed_in_the_wild": false,
"known_exploit": false,
"publish_date": "2023-08-16T19:05:01.000Z",
"risk_rating": 2
}'
- Delete a Threat Intelligence Entry
Endpoint: {{API_BASE}}/api/v2/intelligence/{{CVE_ID}}
Method: DELETE
Sample:
curl --location --request DELETE 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'
Data Model
All threat intelligence data is managed at the global level.
Each threat intelligence (TI) entry is linked to a unique CVE.
Once a TI record is created for a CVE (e.g., CVE-2018-14721), this information will be reflected in all findings associated with that CVE throughout the system.
Updated 7 days ago