BAE Systems
Connector Category: API Feed Source
Notice
This integration is available in Intel Exchange from v3.7.5.5 onwards.
About Integration
Intel Exchange integrates with BAE Systems to provide enriched threat intelligence that supports faster detection and analysis of advanced threats. This integration enhances visibility by delivering high-quality intelligence on APT groups, malware, phishing activity, and vulnerabilities. By standardizing BAE Systems intelligence within Intel Exchange, the integration enables proactive investigations, automated enrichment workflows, and improved decision-making across security operations.
In Intel Exchange, the BAE System integration retrieves the following types of threat data objects:
Use Cases
Seamlessly ingest BAE Systems threat intelligence into Intel Exchange for timely access to high-quality indicators and reports.
Apply rule-based automation in Intel Exchange using BAE Systems Confidence scores to trigger alerts, publish to collections, or initiate enrichment workflows.
Filter, search, and report on BAE Systems indicators based on their confidence score to support analytical and operational needs.
Share curated intelligence with internal and external stakeholders, routed according to confidence levels for enhanced situational awareness.
Configure BAE Systems
Integrate with BAE Systems as a feed source and start receiving threat intel in Intel Exchange.
To configure BAE Systems as an integration tool, follow these steps:
Configure BAE Systems as a Feed Source
Configure the BAE Systems API feed source to receive events from BAE Systems into Intel Exchange
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL and API key of your BAE Systems account.
Steps
To configure BAE Systems as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Click Add API Source.
Search and select BAE Systems.
Click Add Instance and enter the following details:
Instance Name: Enter a unique name to identify the instance. For example, Prod-BAE Systems.
Base URL: Enter the base URL of your BAE Systems instance. The default base URL is
https://sigs.ti.baesystems.com/.Note
Verify the base URL in your BAE Systems instance or documentation to ensure it matches your environment.
API Token: Enter the API token to authenticate with BAE Systems.
Verify SSL: Select this to verify the SSL certificate and secure the connection between the Intel Exchange and BAE Systems the servers. By default, verification is enabled.
Note
Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly, and you will not be notified in case of a broken or improper connection.
Click Save.
After the BAE Systems is configured successfully, you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure BAE Systems Feed Channels
Configure the feed channels to retrieve events from BAE Systems MISP instance and store them in collections within Intel Exchange.
Steps
To configure the feed channels, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Search and select BAE Systems.
Click the vertical ellipsis, and select Manage.
Click Manage Feed Channels.
Select a feed channel and turn on the toggle. Use the following information while configuring the channel:
Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Collection Name: Enter the name of the collection to store the feed data. For example, BAE Systems Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.
Published: Select this option to recieve only published events from BAE Systems. If you do not select this option, then Intel Exchange polls all events, including unpublished events.
Filters: To filter events based on specific parameters, follow these steps:
Filter: Select a parameter to filter events. You can view the values of the selected parameter available in the configured BAE Systems instance in Value.
Value: Select the values to retrieve specific events. For example, Internal Sharing Group. Events associated with the selected values will be ingested.
Note
To retrieve Signature feeds from BAE Systems, select Sharing Group as the filter and Signatures as the value.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.
Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.
Deprecates after: Specify the number of days after which the threat data (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days.
Custom Score: Select the Relevance and Severity Score for the channel.
Tags: Select any tags to identify and categorize the feeds.
Click Save.
The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels and poll feeds, and view the feeds.
Test Feed Channel Connectivity
Test the connectivity of the BAE Systems feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.
Before you Start
Ensure that the BAE Systems API feed source is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Search and select the BAE Systems app.
On a feed channel, click the vertical ellipisis and select View Details.
On a feed channel, click the vertical ellipsis and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times every hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
View BAE Systems Feeds on Intel Exchange
After configuring the BAE Systems integration on the Intel Exchange application, you can view the intel received on the Intel Exchange application. The Intel Exchange application mainly receives Indicator STIX Objects throught this integration.
On the BAE Systems integration configuration page, select View Intel.
View the indicators received from BAE Systems in Threat Data.
BAE Systems Objects Ingested in Intel Exchange
BAE Systems objects are used in the BAE Systems and can also be used by other information sharing tools. These objects and their associated attributes are created based on real cybersecurity use-cases.
In Intel Exchange, all intel that is received is converted into STIX objects. The following BAE Systems objects acquired in Intel Exchange are converted to STIX objects. The rest of the BAE Systems objects are converted to custom objects.
ASN
CIDR
Domain
Email
IP
MAC address
MD5
Mutex
Port
Registry Key
SHA1
SHA224
SHA256
SHA384
SHA512
SSDEEP
URL
Malware
Threat Actor
Attack Pattern
Course of Action
DDoS
DNS Record
Domain crawled
Domain IP
Geo location
HTTP request
Phishing kit
Report
Shortened link
STIX2 pattern
Tor-node
Victim
Publish BAE Systems Feed to Collections
Intel Exchange enables you to publish malicious objects with context and metadata received from BAE Systems to subscribers so that they can take action and share with others.
To publish the BAE Systems feed to the collections, follow these steps:
From Administration, select Integration Management, and select Rules under Actions.
Click New Rule.
Enter the rule name and description to identify the rule.
Select Tags to categorize and identify the rule.
Click Submit.
In the Source box, select BAE Systems and its collections from the Source and Collection drop-down menu to poll threat intel.
Define a condition to apply to the rule. For more information on defining rules and conditions, see Automation Rules.
To define an action after a condition has been met, add an action by hovering below the condition box or expand Actions under Component on the left side of the screen and select Publish to Collection.
Select CTIX as the application to implement the rule.
Select the default account for the application.
Select Fast & Light as the Analyser to publish the information in non-editable mode.
Select server collections to post the intel about malicious objects and metadata.
Click Save.