Skip to main content

API Integrations

Application Programming Interface (API) feeds are software intermediaries that allow two applications to communicate with each other. In Intel Exchange, administrators can configure API feed sources to receive threat intelligence data at specified time intervals. Each API feed source provides unique feed channels to receive different types of threat intelligence data, such as hashes, URLs, indicators, threat actors, and more feeds from various sources. You can manage the API connector configurations and start receiving threat intel packages from the configured API sources.

Add an API Feed Source Instance

You can add an API feed instance in Intel Exchange to use an API source. These sources retrieve threat intelligence data from third-party connectors.

Before you Start

  • Ensure that you have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions.

  • Ensure that you have the authentication keys and credentials of the selected API source to add an instance.

Steps

To add an API feed source instance, follow these steps:

  1. Go to Administration > Integration Management, and select APIs under Feed Sources.

  2. Click Add API Source, and select an application.

  3. Click Add Instance.

  4. Enter feed source information, such as an Instance Name, Base URL, and application-specific authentication credentials.

  5. Each API feed source will have a unique set of authentication credentials. For more information about specific connector documentation, see Integrations.

  6. Click Save.

You can add multiple instances for an API source based on your requirement by clicking Manage and Add More. However, for each instance, you will require a different set of authentication credentials.

Configure API Feed Channels

After you add an instance, enable the feed channels to poll threat data. Data received from each of these feed channels is stored in a collection.

Steps

To configure API feed channels, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Select an API feed source, click on the vertical ellipsis in the upper-right corner, and select Manage.

  3. Click Manage Feed Channels.

  4. Select a feed channel, and enable the toggle switch to set the instance to active.

    • Start Data and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

    • Collection Name: Enter the name within 100 characters to collect the feed data. The system creates a collection and puts all the feeds into the collection.

    • Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:

      • Manual: Allows you to manually poll from the source collection.

      • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

    • TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.

    • Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.

    • Deprecates after: Specify the number of days after which the threat data (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days. If the same indicator is received from multiple sources, the longest valid duration is applied.

    • Override Source Specified Valid Until: Enable to apply the value set in Deprecates after, even if the source provides an expiry duration. 

    • Custom Scores: Enter the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.

    • Default Tags: Select existing tags or create new ones to identify and categorize the feeds.

  5. Click Save.

You can view the updated changes in View Details.

Poll API Feeds Manually

You can manually poll data even if you enable Auto while configuring feed channels, auto polling is done automatically. 

Steps

To manually poll API feeds, follow these steps:

  1. Go to Administration > Integration Management > Feed Sources, select APIs

  2. Select an API feed source and select a feed channel.

  3. Click the vertical ellipsis and click Poll Now.

View API Feeds in Intel Exchange

After configuring the integration, you can view the intel received from the feed source.

Steps

To view API feeds in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management > Feed Sources, and select APIs.

  2. Select the API feed source and select a feed channel.

  3. Click the vertical ellipsis and select View Intel. You can view the IOCs received in the feeds from this source in Threat Data.

Supported Actions for API Feed Source

You can perform the following actions after you configure the API feed source:

  • Reset Tool: Click the ellipsis at the upper-right corner to reset any added instances for the API feed source.

  • View Intel: Click View Intel at the upper-right corner to view the threat intelligence data received from the feed source in Threat Data.

  • View Details: Click the ellipsis on the feed channel and select View Details to view the details, such as the last polling information, selected polling type, user that modified any details, and more of the selected feed channel.

  • View Intel: Click the ellipsis on the feed channel and select View Intel to view the intel specifically received using that feed channel in Threat Data.

  • Edit Config: Click the ellipsis on the feed channel and select Edit Config to modify the configurations of the feed channel. You can modify the polling type, collection name, polling date, and the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.

  • Poll Now: Click the ellipsis on the feed channel and select Poll Now to manually poll data using the selected feed channel.