ThreatNG
Discover and monitor your external attack surface with ThreatNG. This integration ingests exposure scores, subdomains, DNS permutations, cloud assets, SaaS vendor identification, code secrets, and TLS/SSL certificate findings to provide visibility into your organization's digital risk posture.
- Installation
- Authorization
- Data Model
- Types
- Release Notes
Installation
You will need a ThreatNG API key to configure this integration. API keys are provisioned by ThreatNG for your organization. Contact your ThreatNG account representative or reach out to info@threatngsecurity.com to request API access.
To install the ThreatNG integration in JupiterOne, navigate to the Integrations tab in JupiterOne and select ThreatNG. Click New Instance to begin configuring your integration.
Creating an instance requires the following:
-
API Key - Your ThreatNG API key used to authenticate requests. This key is sent via the
ApiKeyheader to the ThreatNG Public API. -
Domain - The domain you want to monitor (e.g.,
example.com). ThreatNG scans this domain for external attack surface findings including subdomains, cloud assets, DNS permutations, code secrets, SaaS identification, and TLS/SSL certificates. -
Polling Interval - Select a frequency that meets your monitoring needs. You may leave this as
DISABLEDand manually execute the integration.
Click Create once all values are provided to finalize the integration.
What data is ingested?
| Data | Description |
|---|---|
| Exposure Score | Overall ThreatNG exposure grade and per-category scores (Cyber Risk, BEC & Phishing Susceptibility, Brand Damage, etc.) |
| Subdomains | Discovered subdomains for the monitored domain |
| DNS Permutations | Typosquatting and look-alike domains that are registered (taken), with or without MX records |
| Code Secrets | Exposed secrets and credentials found in public code repositories |
| Cloud Discovery | Cloud assets discovered across AWS, GCP, and other providers, including S3 buckets and storage containers |
| SaaS Identification | Third-party SaaS vendors identified as being used by the organization |
| TLS/SSL Certificates | Summary of TLS/SSL certificate status (total, valid, invalid) |
Next steps
Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.
Endpoints
API endpoints that the integration makes requests to.
Show Endpoints (7)
https://api.threatngsecurity.com/v1/Job/GetAllJobshttps://api.threatngsecurity.com/v2/exposurePriority/{rating}/{domain}https://api.threatngsecurity.com/v2/exposureScore/Grade/{domain}https://api.threatngsecurity.com/v2/exposureSummary/module/SaaSIdentification/{domain}https://api.threatngsecurity.com/v2/exposureSummary/module/Subdomains/{domain}https://api.threatngsecurity.com/v2/exposureSummary/module/{module}/{domain}https://api.threatngsecurity.com/v2/summary/DomainIntelligence/TLSSSLCertificates/{domain}
Documentation Links
Links to provider documentation relevant to setup and configuration.
Show Documentation Links (1)
Per-Step Breakdown
Detailed authorization requirements for each ingestion step.
Show all steps (7)
| Step | Endpoints |
|---|---|
| Fetch Certificate Findings | https://api.threatngsecurity.com/v2/summary/DomainIntelligence/TLSSSLCertificates/{domain} |
| Fetch Cloud Discovery Findings | https://api.threatngsecurity.com/v2/exposureSummary/module/{module}/{domain} |
| Fetch Code Secret Findings | https://api.threatngsecurity.com/v2/exposurePriority/{rating}/{domain} |
| Fetch DNS Permutation Findings | https://api.threatngsecurity.com/v2/exposurePriority/{rating}/{domain} |
| Fetch SaaS Identified Findings | https://api.threatngsecurity.com/v2/exposureSummary/module/SaaSIdentification/{domain} |
| Fetch Service | https://api.threatngsecurity.com/v2/exposureScore/Grade/{domain} |
| Fetch Subdomain Findings | https://api.threatngsecurity.com/v2/exposureSummary/module/Subdomains/{domain} |
Entities
The following entities are created:
| Resources | Entity _type | Entity _class |
|---|---|---|
| Account | threatng_account | Account |
| Certificate Finding | threatng_certificate_finding | Finding |
| Cloud Discovery Asset | threatng_cloud_discovery_asset | Finding |
| Cloud Discovery Bucket | threatng_cloud_discovery_bucket | Finding |
| Cloud Discovery Finding | threatng_cloud_discovery_finding | Finding |
| Code Secret Finding | threatng_code_secret_finding | Finding |
| DNS Permutation Finding | threatng_dns_permutation_finding | Finding |
| SaaS Identified Finding | threatng_saas_identified_finding | Finding |
| Service | threatng_service | Service |
| Subdomain Finding | threatng_subdomain_finding | Finding |
Relationships
The following relationships are created:
Source Entity _type | Relationship _class | Target Entity _type |
|---|---|---|
threatng_account | HAS | threatng_service |
threatng_cloud_discovery_finding | HAS | threatng_cloud_discovery_bucket |
threatng_cloud_discovery_finding | HAS | threatng_cloud_discovery_asset |
threatng_service | IDENTIFIED | threatng_dns_permutation_finding |
threatng_service | IDENTIFIED | threatng_code_secret_finding |
threatng_service | IDENTIFIED | threatng_cloud_discovery_finding |
threatng_service | IDENTIFIED | threatng_certificate_finding |
threatng_service | IDENTIFIED | threatng_subdomain_finding |
threatng_service | IDENTIFIED | threatng_saas_identified_finding |
Mapped Relationships
The following mapped relationships are created:
Source Entity _type | Relationship _class | Target Entity _type | Direction |
|---|---|---|---|
threatng_cloud_discovery_bucket | IS | aws_s3_bucket | FORWARD |
threatng_cloud_discovery_bucket | IS | azure_storage_container | FORWARD |
threatng_cloud_discovery_bucket | IS | google_storage_bucket | FORWARD |
threatng_code_secret_finding | HAS | github_repo | REVERSE |
threatng_dns_permutation_finding | CONNECTS | Domain | FORWARD |
threatng_saas_identified_finding | IDENTIFIED | jupiterone_integration | FORWARD |
Threatng Account
threatng_account inherits from Account
| Property | Type | Description | Specifications |
|---|---|---|---|
vendor * | string | The vendor name for the account |
Threatng Certificate Finding
threatng_certificate_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
commonName * | string | The common name (CN) of the certificate | |
isExpired * | boolean | null | Whether the certificate is expired | |
issuer * | string | null | The issuer of the certificate | |
isWildcard * | boolean | null | Whether the certificate is a wildcard certificate | |
serialNumber * | string | null | The serial number of the certificate | |
signatureAlgorithm * | string | null | The signature algorithm used | |
source | string | The source of this finding | |
subjectAltNames * | array | null | Subject alternative names on the certificate |
Threatng Cloud Discovery Asset
threatng_cloud_discovery_asset inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
assetName * | string | null | The name of the cloud asset | |
assetType * | string | null | The type of cloud asset | |
cloudProvider * | string | null | The cloud provider of the asset | |
isPublic * | boolean | null | Whether the cloud asset is publicly accessible | |
region * | string | null | The cloud region where the asset is located | |
source | string | The source of this finding | |
url * | string | null | URL of the cloud asset |
Threatng Cloud Discovery Bucket
threatng_cloud_discovery_bucket inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
bucketAccessType * | string | null | The access type key from ThreatNG (e.g. 'S3 Bucket Open') | |
bucketName * | string | The name/identifier of the cloud bucket | |
bucketUrl * | string | null | The URL of the cloud bucket, used for mapped relationship matching | |
cloudProvider * | string | null | The cloud provider of the bucket (e.g. Amazon Web Services, Microsoft Azure) | |
source | string | The source of this finding |
Threatng Cloud Discovery Finding
threatng_cloud_discovery_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
cloudProvider * | string | The cloud provider name (e.g. Amazon Web Services, Microsoft Azure, Google Cloud Platform) | |
source | string | The source of this finding | |
totalAssets * | number | null | Total number of cloud assets discovered | |
totalBuckets * | number | null | Total number of cloud buckets discovered |
Threatng Code Secret Finding
threatng_code_secret_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
author * | string | null | The author of the commit containing the secret | |
branch * | string | null | The branch where the secret was found | |
commitHash * | string | null | The commit hash where the secret was introduced | |
filePath * | string | null | The file path where the secret was found | |
repository * | string | The repository name where the secret was found | |
secretType * | string | null | The type of secret found (e.g. API key, credential) | |
source | string | The source of this finding |
Threatng Dns Permutation Finding
threatng_dns_permutation_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
domainPermutation * | string | The permuted domain name | |
ipv4 * | string | null | IPv4 address of the permuted domain | |
ipv6 * | string | null | IPv6 address of the permuted domain | |
isActive * | boolean | null | Whether the permuted domain is actively resolving | |
isRegistered * | boolean | null | Whether the permuted domain is registered | |
mxRecords * | array | null | MX records for the permuted domain | |
nameServers * | array | null | Name servers for the permuted domain | |
permutationType * | string | null | The type of permutation (e.g. homoglyph, insertion) | |
source | string | The source of this finding |
Threatng Saas Identified Finding
threatng_saas_identified_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
saasCategory * | string | The functional category of the SaaS product (e.g. Issue trackers, Live chat, Analytics) | |
saasVendor * | string | The name of the identified SaaS vendor (e.g. Atlassian, Slack, Zoom) | |
source | string | The source of this finding |
Threatng Service
threatng_service inherits from Service
| Property | Type | Description | Specifications |
|---|---|---|---|
domain * | string | The domain being monitored | |
exposureGrade * | string | null | The overall ThreatNG exposure grade (e.g. A, B, C, D, F) | |
exposureScores * | array | null | Individual exposure score grades (e.g. "Cyber Risk: C") |
Threatng Subdomain Finding
threatng_subdomain_finding inherits from Finding
| Property | Type | Description | Specifications |
|---|---|---|---|
httpStatus * | number | null | HTTP response status code | |
ipv4 * | string | null | IPv4 address of the subdomain | |
ipv6 * | string | null | IPv6 address of the subdomain | |
isActive * | boolean | null | Whether the subdomain is actively resolving | |
source | string | The source of this finding | |
subdomain * | string | The discovered subdomain | |
technologies * | array | null | Technologies detected on the subdomain |