Package: Invicti AppSec Enterprise (on-premise, on-demand)
Custom threat intelligence databases integration
You can integrate Invicti AppSec with custom threat intelligence databases that might be used in your organization. To do so, enable the integration under Integrations > Threat Intelligence.
Once the integration is enabled, you can feed Invicti AppSec with threat intelligence data coming from a database through Invicti AppSec's API.
Supported data fields
You can send the following information to Invicti AppSec through the API:
- CVE ID: required
- Description: optional
- Observed in the wild: optional
- Known exploit: optional
- Publish date: optional
- Risk rating: required (set as 0 by default)
Example JSON structure
{
"cve_id": "CVE-2018-14721", // required and must be unique
"description": "", // optional, default empty
"observed_in_the_wild": false, // optional, default false
"known_exploit": false, // optional, default false
"publish_date": "2023-08-16T19:05:01.000Z", // optional, uses current time if null
"risk_rating": 2 // optional, default 0
}
API usage
This section explains how to interact with the threat intelligence API, including how to list, create, update, and delete custom threat intelligence data. All data is maintained at the global level, and each threat intelligence entry is associated with a specific CVE.
When you create or update a threat intelligence entry for a CVE (for example, CVE-2018-14721), this threat intelligence data becomes visible across all findings related to that CVE.
Authentication
All API requests require an authentication token to be sent via the X-Cookie header.
Header Example:
X-Cookie: {token}
API endpoints
List all threat intelligence entries
Returns all threat intelligence data available in the system.
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: GET
Sample Request:
curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}'
Get specific threat intelligence entry
Retrieves threat intelligence data for a specific CVE.
Endpoint: {{API_BASE}}/api/v2/intelligence/{CVE_ID}
Method: GET
Sample Request:
curl --location 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'
Create threat intelligence entry
Creates a new threat intelligence entry for a specific CVE. If an entry with the same cve_id already exists, it will be updated.
Endpoint: {{API_BASE}}/api/v2/intelligence
Method: POST
Sample Request:
curl --location 'http://hostname/api/v2/intelligence' \
--header 'X-Cookie: {token}' \
--header 'Content-Type: application/json' \
--data '{
"cve_id": "CVE-2018-14721",
"description": "",
"observed_in_the_wild": false,
"known_exploit": false,
"publish_date": "2023-08-16T19:05:01.000Z",
"risk_rating": 2
}'
Update threat intelligence entry
Updates an existing threat intelligence entry by CVE ID.
Endpoint: {{API_BASE}}/api/v2/intelligence/{CVE_ID}
Method: PATCH
Sample Request:
curl --location --request PATCH 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}' \
--header 'Content-Type: application/json' \
--data '{
"cve_id": "CVE-2018-14722",
"description": "Mitre Corporation has provided the following description: Cross-site scripting (XSS) vulnerability in the Create Employee feature in Hybris Management Console (HMC) in SAP Hybris before 5.0.4.11, 5.1.0.x before 5.1.0.11, 5.1.1.x before 5.1.1.12, 5.2.0.x and 5.3.0.x before 5.3.0.10, 5.4.x before 5.4.0.9, 5.5.0.x before 5.5.0.9, 5.5.1.x before 5.5.1.10, 5.6.x before 5.6.0.8, and 5.7.x before 5.7.0.9 allows remote authenticated users to inject arbitrary web script or HTML via the Name field.",
"observed_in_the_wild": false,
"known_exploit": false,
"publish_date": "2023-08-16T19:05:01.000Z",
"risk_rating": 2
}'
Delete threat intelligence entry
Removes an existing threat intelligence entry by CVE ID.
Endpoint: {{API_BASE}}/api/v2/intelligence/{CVE_ID}
Method: DELETE
Sample Request:
curl --location --request DELETE 'http://hostname/api/v2/intelligence/CVE-2018-14721' \
--header 'X-Cookie: {token}'
Data model
All threat intelligence data is managed at the global level and each threat intelligence entry is linked to a unique CVE.
Once a threat intelligence record is created for a CVE (for example, CVE-2018-14721), this information is reflected in all findings associated with that CVE throughout the system.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center