Skip to main content

Cyware Threat Intelligence eXchange

Configure an API Source and Poll Threat Data

You can configure an API source to receive threat data intel into the CTIX application from sources such as Flashpoint, Alien Vault, Flexera, Mandiant, and more. You can poll or receive threat data either automatically at specified time intervals or manually fetch it.

Before you Start

To configure an API source:

  • Ensure that you have the View Feed Source, Create Feed Source, and View & Update Feed Source permissions to access Feed Sources in Integration Management.

  • Ensure that you have the following authentication resources and credentials to configure the required API sources:

    API Source

    Required Credentials

    Alien Vault

    API Key

    Anamoli ThreatStream

    Base URL, Username, API Key

    Bambenek Consulting

    Base URL, Username, Password

    Cofense Intelligence

    Base URL, Username, Password

    CrowdStrike Inc.

    Base URL, Client ID, Client Secret

    Flashpoint

    Base URL, Bearer Token

    Flexera

    Base URL, API Key

    Intel471

    Base URL, Username, Password

    MISP

    Base URL, API Key

    Mitre ATT&CK

    Base URL

    Mandiant Threat Intelligence

    Base URL, API Key, Secret Key

    IBM QRadar

    Base URL, Username/Password or Authentication Token

    Recorded Future

    Base URL, API Key

    RiskIQ PassiveTotal

    Base URL, Username, Password

    SlashNext

    Base URL, Access Key

    Volon

    Base URL, API Key

Steps

To configure an API source, do the following:

  1. Configure a new API source

  2. Configure a feed channel

  3. Poll for threat data

  4. View Polled Threat Data

Configure a New API Source

API sources allow you to receive threat data from third-party connectors. An analyst can add multiple instances or accounts for an API source based on the availability of quota per account.

To configure a new API source, do the following:

  1. From Administration, select Integration Management.

  2. Under Feed Sources, select APIs.

  3. Click Add API Source, and select the API feed to add.

  4. Click Add Instance.

  5. Enter the authentication resources and credentials and click Save.

    By default, the Base URL contains a value, but you can edit it.

Configure a Feed Channel

Use feed channels in CTIX to configure and segregate different data feeds that you receive through an integration.

For example, CTIX integration with Recorded Future provides the IP, hash, vulnerability, domain, and URL feeds. This data is stored in separate collections. The number of feed channels differs for different vendor integrations.

To configure a feed channel, do the following:

  1. In Integration Management, select APIs.

  2. Select the API feed, click the ellipsis(...) at the top right corner of the page, and select Manage.

  3. On the Manage Instance window, click Manage Feed Channel(s).

  4. Click the expand (>) icon of the instance to poll, and enable the instance.

  5. Enter the date and time from when you want to poll the data.

  6. Enter a collection name to identify the type of data received from the feed channel.

    For example, enter Hash Feeds Data as the collection name to retrieve hash feeds through Recorded Future.

  7. Select from one of the following Polling Cron Schedule types to poll the data:

    • Manual - Allows you to manually poll from the source collection.

    • Auto - Allows you to automatically poll for threat intel from sources at specific time intervals. Enter a frequency in seconds in the Polling Time field.

  8. Select a TLP to assign your feeds.

    For example, select Amber as the TLP when you want to share the information only with specific individuals.

  9. Set the confidence score for the feeds.

    For example, set 75 as the confidence score when you want to fetch intel with a score of 75.

  10. Select relevant tags to associate with the feeds.

    Tags allow you to organize and differentiate the data received through the feed channel.

  11. To retry establishing the broken connection between CTIX and the tool server, enable Broken Connection Retry Policy.

    If the connection is broken, CTIX automatically retries to establish the connection with the tool server based on the values you select in the following options:

    • Retry Interval Unit - Enter the interval unit in minutes, days, or weeks.

    • Retry Interval - Enter the interval in numbers, such as 20, 30, or so on.

    • Retry Count - Enter the number of times you want CTIX to try to reconnect to the tool server, such as 2, 3, or so on.

      For example, if the connection is broken, CTIX retries to establish the connection after every 20 days and three times.

  12. To increase and extend the wait time between retries after each failed attempt, select Exponential Backoff Entry.

    For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes.

    This option allows your system to use its resources efficiently for other tasks and resolves any service overload issues.

  13. Click Save.

Poll for Threat Data

To poll an instance, do the following:

  1. From Administration, select Integration Management.

  2. Under Feed Sources, select APIs.

  3. Open a configured API feed.

    For example, Alien Vault.

  4. Click the ellipsis(...) of the instance to poll and select Poll Now.

    CTIX fetches the threat intel from the API source and updates the Threat Data page.

    You can view the polled threat intel updates in View Intel.

View Polled Threat Data

After configuring and polling for the threat data, you can check the data received from the API feed sources.

To view the polled threat data, do the following:

  1. From the Administration icon, select Integration Management.

  2. Under Feed Sources, select the APIs module.

  3. Select the API feed source and open View Intel to view the polled threat data.

    You can view the polled threat intel on the Threat Data page.