Flashpoint Ignite
Connector Category: API Feed Source
Notice
If you are using Flashpoint as an API feed source in Intel Exchange, refer to the Migrating to Flashpoint Ignite Feed Source section before you configure Flashpoint Ignite as an API feed source.
About Integration
Flashpoint Ignite is an advanced intelligence platform that helps organizations enhance threat detection and risk mitigation capabilities. Intel Exchange integrates with Flashpoint Ignite to retrieve feeds related to threat intel reports, vulnerabilities, and indicators of compromise (IOCs). This integration enables you to gain visibility into intelligence landscapes across cyber threats and vulnerabilities to make informed decisions.
Use Cases
Verify product vulnerabilities in your environment by searching Intel Exchange by product name.
Detect and block malicious IOCs.
Retrieve vulnerabilities and filter them using their Common Vulnerability Scoring System (CVSS) scores.
Extract customer-premises equipments (CPEs) or products directly via relations, and check if any product in your configuration management database (CMDB) has vulnerabilities.
Assess exploitability by analyzing the description, custom attributes, CVSS v3 scores, exploit code maturity, and other relevant information.
Configure Flashpoint Ignite
Integrate with Flashpoint Ignite as a feed source and start receiving threat intel in Intel Exchange. You can use the following sections for more information:
Configure Flashpoint Ignite as a Feed Source
Configure Flashpoint Ignite as an API feed source in Intel Exchange to retrieve indicators of compromise (IOCs), vulnerabilities and reports from Flashpoint Ignite.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL and API key of your Flashpoint Ignite account.
Note
Ensure that the bearer token includes the permissions to retrieve reports, vulnerabilities, and indicator feeds. If the bearer token does not have permission to retrieve a specific feed, then the respective feed channel is disabled automatically and displays a connection error.
If you have the API credentials of the Flashpoint tool, note that the FPTools platform and API will be decommissioned on August 1, 2024. For more information on how to generate the Flashpoint Ignite bearer token, see Generating an API Token in Ignite.
Steps
To configure Flashpoint Ignite as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Click Add API Source.
Search and select Flashpoint Ignite.
Click Add Instance and enter the following details:
Instance Name: Enter a unique name to identify the instance. For example, Prod-Flashpoint Ignite.
Base URL: Enter the base URL of your Flashpoint Ignite instance. The default base URL is
https://api.flashpoint.io.Bearer Token: Enter the API token to authenticate communication between the Intel Exchange and Flashpoint Ignite servers.
Verify SSL: Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and Flashpoint Ignite servers. By default, Verify SSL is selected.
Note
Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly, and you will not be notified in case of a broken or improper connection.
Click Save.
After the Flashpoint Ignite is configured successfully, you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure Flashpoint Ignite Feed Channels
Configure the Flashpoint Ignite feed channels to retrieve threat intel feeds related to reports, vulnerabilities, and IOCs.
Steps
To configure a feed channel, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Search and select the Flashpoint Ignite app.
Click the vertical ellipsis, and select Manage.
Click Manage Feed Channels.
Select a feed channel and turn on the toggle. Use the following information while configuring the channel:
Start Date and Time: Enter the date and time within 15 days from the current time to start polling feeds.
Collection Name: Enter the collection name to group the feeds retrieved from the channel. For example, Flashpoint Ignite Reports. A new collection is created, and all the feeds retrieved from the feed channel are stored in the collection.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 240 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Note
Various report schedules for Flashpoint Ignite's threat intel reports range from daily to quarterly. Therefore, we recommend setting a minimum polling frequency of 1440 (24 hours) for the Retrieve Report Feeds channel.
TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.
Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.
Deprecates after: Specify the number of days after which the threat data (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days.
Custom Score: Select the Relevance and Severity Score for the channel.
Default Tags: Select the tags to identify and categorize the feeds.
Click Save.
The feed channel is configured, and you can poll feeds from the channel. Similarly, you can configure other feed channels of the Flashpoint Ignite API feed source.
Test Feed Channel Connectivity
Test the connectivity of the Flashpoint Ignite API feed channels to ensure that the connection with the correct API endpoint is established, and you have permission to poll feeds.
Before you Start
Ensure that the Flashpoint Ignite API feed source is enabled.
Ensure that the feed channel you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management. In FEED SOURCES, click APIs.
Search and select the Flashpoint Ignite app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times every hour. If the connectivity is successfully restored, the feed channels is automatically re-enabled.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
For more information on how to poll feeds manually, view ingested intel, and manage API feed sources, see API Integrations.
Flashpoint Ignite Feed Channels
The following table lists all the feed channels and the Flashpoint Ignite API endpoints used for each feed channel.
Feed Channel | API URL | Comment |
|---|---|---|
Retrieve Report Feeds | {{base_url}}/finished-intelligence/v1/reports
{{base_url}}/technical-intelligence/v1/event?report= | The featured reports of Flashpoint Ignite are ingested with the Flashpoint Featured Report tag. |
Retrieve Vulnerability Feeds | {{base_url}}/vulnerability-intelligence/v1/vulnerabilities
{{base_url}}/vulnerability-intelligence/v1/vulnerabilities/{id} | For premium users, the vulnerability feeds include some additional attributes. For more information, see the List Vulnerabilities API. |
Retrieve Indicator Feeds | {{base_url}}/technical-intelligence/v2/indicators | This feed channel returns the number of indicators per poll. For more information, see the Lists Indicators API. |
Note
Vulnerability feeds use CVE ID as the value. Flashpoint Ignite may provide vulnerabilities that have not been published yet, with the vulnerability title as the value instead of the CVE ID. When the vulnerabilities are later published, the Flashpoint Ignite API feed source will ingest them during the subsequent polling based on your configuration settings and create a related vulnerability with the CVE ID as the value. Therefore, we recommend you handle both CVE IDs and vulnerability titles as values when using playbooks or Intel Exchange Open APIs.
Migrating to Flashpoint Ignite Feed Source
If you are using Flashpoint as an API feed source in Intel Exchange, follow these steps to configure Flashpoint Ignite as an API feed source.
Migrate from the Flashpoint Tools platform to the Flashpoint Ignite platform. For a seamless migration, contact your Flashpoint Customer Success representative.
After migrating to the Flashpoint Ignite platform, create a bearer token. For more information on generating a Flashpoint Ignite bearer token, see Generating API Token in Ignite.
Update the existing Flashpoint API feed source instance with the Flashpoint Ignite base URL (
https://api.flashpoint.io) and bearer token.
Flashpoint Ignite API feed source is configured. The feed channels will start retrieving feeds from the Flashpoint Ignite platform based on the polling preference you have configured for the channels.