Configure an API Source and Poll Threat Data
You can configure an API source to receive threat data intel into the CTIX application from sources such as Flashpoint, Alien Vault, Flexera, Mandiant, and more. You can poll or receive threat data either automatically at specified time intervals or manually fetch it.
Before you Start
To configure an API source:
Ensure that you have the View Feed Source, Create Feed Source, and View & Update Feed Source permissions to access Feed Sources in Integration Management.
Ensure that you have the following authentication resources and credentials to configure the required API sources:
API Source
Required Credentials
Alien Vault
API Key
Anamoli ThreatStream
Base URL, Username, API Key
Bambenek Consulting
Base URL, Username, Password
Cofense Intelligence
Base URL, Username, Password
CrowdStrike Inc.
Base URL, Client ID, Client Secret
Flashpoint
Base URL, Bearer Token
Flexera
Base URL, API Key
Intel471
Base URL, Username, Password
MISP
Base URL, API Key
Mitre ATT&CK
Base URL
Mandiant Threat Intelligence
Base URL, API Key, Secret Key
IBM QRadar
Base URL, Username/Password or Authentication Token
Recorded Future
Base URL, API Key
RiskIQ PassiveTotal
Base URL, Username, Password
SlashNext
Base URL, Access Key
Volon
Base URL, API Key
Steps
To configure an API source, do the following:
Configure a new API source
Configure a feed channel
Poll for threat data
View Polled Threat Data
Configure a New API Source
API sources allow you to receive threat data from third-party connectors. An analyst can add multiple instances or accounts for an API source based on the availability of quota per account.
To configure a new API source, do the following:
From Administration, select Integration Management.
Under Feed Sources, select APIs.
Click Add API Source, and select the API feed to add.
Click Add Instance.
Enter the authentication resources and credentials and click Save.
By default, the Base URL contains a value, but you can edit it.
Configure a Feed Channel
Use feed channels in CTIX to configure and segregate different data feeds that you receive through an integration.
For example, CTIX integration with Recorded Future provides the IP, hash, vulnerability, domain, and URL feeds. This data is stored in separate collections. The number of feed channels differs for different vendor integrations.
To configure a feed channel, do the following:
In Integration Management, select APIs.
Select the API feed, click the ellipsis(...) at the top right corner of the page, and select Manage.
On the Manage Instance window, click Manage Feed Channel(s).
Click the expand (>) icon of the instance to poll, and enable the instance.
Enter the date and time from when you want to poll the data.
Enter a collection name to identify the type of data received from the feed channel.
For example, enter Hash Feeds Data as the collection name to retrieve hash feeds through Recorded Future.
Select from one of the following Polling Cron Schedule types to poll the data:
Manual - Allows you to manually poll from the source collection.
Auto - Allows you to automatically poll for threat intel from sources at specific time intervals. Enter a frequency in seconds in the Polling Time field.
Select a TLP to assign your feeds.
For example, select Amber as the TLP when you want to share the information only with specific individuals.
Set the confidence score for the feeds.
For example, set 75 as the confidence score when you want to fetch intel with a score of 75.
Select relevant tags to associate with the feeds.
Tags allow you to organize and differentiate the data received through the feed channel.
To retry establishing the broken connection between CTIX and the tool server, enable Broken Connection Retry Policy.
If the connection is broken, CTIX automatically retries to establish the connection with the tool server based on the values you select in the following options:
Retry Interval Unit - Enter the interval unit in minutes, days, or weeks.
Retry Interval - Enter the interval in numbers, such as 20, 30, or so on.
Retry Count - Enter the number of times you want CTIX to try to reconnect to the tool server, such as 2, 3, or so on.
For example, if the connection is broken, CTIX retries to establish the connection after every 20 days and three times.
To increase and extend the wait time between retries after each failed attempt, select Exponential Backoff Entry.
For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes.
This option allows your system to use its resources efficiently for other tasks and resolves any service overload issues.
Click Save.
Poll for Threat Data
To poll an instance, do the following:
From Administration, select Integration Management.
Under Feed Sources, select APIs.
Open a configured API feed.
For example, Alien Vault.
Click the ellipsis(...) of the instance to poll and select Poll Now.
CTIX fetches the threat intel from the API source and updates the Threat Data page.
You can view the polled threat intel updates in View Intel.
View Polled Threat Data
After configuring and polling for the threat data, you can check the data received from the API feed sources.
To view the polled threat data, do the following:
From the Administration icon, select Integration Management.
Under Feed Sources, select the APIs module.
Select the API feed source and open View Intel to view the polled threat data.
You can view the polled threat intel on the Threat Data page.