Skip to main content

Securin

Connector Category: API Feed Source

Notice

This integration is available in Intel Exchange from v3.7.5.8 (LA) onwards.

About Integration

Intel Exchange integrates with Securin to provide enriched threat intelligence, helping analysts identify and assess key risks more efficiently. This integration enhances visibility by delivering focused insights on threat actors and vulnerabilities, enabling proactive detection, informed investigations, and streamlined enrichment workflows within Intel Exchange.

In Intel Exchange, the Securin integration retrieves the following types of threat data objects:

  • Threat Actors

  • Attack Pattern

  • Malware

  • Identity

  • Tool

  • Location

  • Vulnerability

Use Cases 

  • Access up-to-date threat-actor and vulnerability intelligence to stay ahead of emerging risks.

  • Prioritize remediation efforts using Securin's vulnerability severity, exploitability, and risk insights.

  • Investigate adversary behaviour and techniques using threat-actor intelligence from Securin.

  • Enhance threat-hunting workflows with focused intelligence on active adversaries and associated vulnerabilities.

  • Distribute relevant threat-actor and vulnerability insights across teams to support informed decision-making.

Configure Securin

Integrate with Securin as a feed source and start receiving threat intel in Intel Exchange. You can use the following sections for more information:

Configure Securin as a Feed Source

Configure Securin as an API feed source in Intel Exchange to retrieve threat actors and vulnerabilities from Securin.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the base URL and API key of your Securin account.

Steps 

To configure Securin as an API feed source in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management. In FEED SOURCES, click APIs.

  2. Click Add API Source.

  3. Search and select Securin.

  4. Click Add Instance and enter the following details:

    • Instance Name: Enter a unique name to identify the instance. For example, Prod-Securin.

    • Base URL: Enter the base URL of your Securin instance. The default base URL is https://platformapi.securin.io.

    • Client ID: Enter the client ID to authenticate with the server. For example, c2xxxx94-149e-4xx2-bxxd-5f29ef878b97.

    • Client Secret: Enter the client secret.

    • Account ID: Enter the unique identifier of your Securin instance account.

    • Verify SSL: Select this to verify the SSL certificate and secure the connection between the Intel Exchange and Securin servers. By default, verification is enabled.

      Note

      Enabling SSL verification is recommended. If you disable this option, it may result in the use of an expired SSL certificate while configuring the instance. This may not establish the connection properly, and you will not be notified in case of a broken or improper connection.

  5. Click Save.

After the Securin is configured successfully, you can view the feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure Securin Feed Channels

Configure the feed channels to retrieve threat data from Securin and store them in collections within Intel Exchange.

Steps 

To configure the feed channels, follow these steps:

  1. Go to Administration > Integration Management. In FEED SOURCES, click APIs.

  2. Search and select Securin.

  3. Click the vertical ellipsis, and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel and turn on the toggle. Use the following information while configuring the channel:

    • Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15days from the current date.

    • CVSS Score Threshold: Filter vulnerabilities based on their CVSS score.

    • Include vulnerabilities exploited in the wild: Filter vulnerabilities that are actively exploited.

    • Affected Industries: Select industries from the dropdown to filter vulnerabilities based on impacted sectors.

    • Collection Name: Enter the name of the collection to group the feed data. For example, Securin Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

    • Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:

      • Manual: Allows you to manually poll from the source collection.

      • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 240 and 21600 minutes in Polling Time. The default polling time is 240 minutes.

    • TLP: Set the TLP for the feeds that do not have a TLP already assigned. The default TLP is Amber. Alternatively, you can select None to ensure that no TLP is assigned to the feeds.

    • Default Source Confidence: Enter the confidence score for the feeds that do not have a confidence score already assigned. The default confidence score is 100.

    • Deprecates after: Specify the number of days after which the threat date (indicator) will be marked as deprecated, unless the source defines its own expiry duration. The allowed range is 1-180 days.

    • Custom Score: Select the Relevance and Severity Score for the channel.

    • Default Tags: Select any tags to identify and categorize the feeds.

    Note

    The fields CVSS Score Threshold, Must be Exploited in the Wild, and Affected Industries are applicable only for the Vulnerability feed channel.

  6. Click Save.

The feed channel is configured, and you can poll feeds from the channel. You can enable the other feed channels and poll feeds, and view the feeds.

Securin.png

Test Feed Channel Connectivity

Test the connectivity of the Securin API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start 

  • Ensure that the Securin API feed source is enabled. 

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management. In FEED SOURCES, click APIs.

  2. Search and select the Securin app.

  3. On a feed channel, click the vertical ellipsis and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When a feed channel loses connectivity, it is automatically disabled, and the system attempts to restore connectivity three times every hour. If the connectivity is successfully restored, the feed channel is automatically re-enabled.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

Securin Feed Channels

The following table lists the feed channel and the API endpoint used to retrieve feeds from Securin:

Feed Channel

API Endpoint

Retrieve Vulnerability Feeds

{base_url}/integration-service/api/v1/accounts/{{account_id}}/vulnerabilities/_search 

Retrieve Threat Actors Feeds

{base_url}/integration-service/api/v1/accounts/{{account_id}}/threat-actors/_search