Feed Sources
When you choose to retain the source confidence score from API feed sources, the CTIX confidence score engine does not re-calculate the confidence score and keeps the source reported score as the CTIX confidence score.
If the same indicator for which the source confidence is retained is reported by another source, then the platform verifies if source confidence is retained for the new source. Then the platform takes one of the following actions:
If source confidence is retained for the new source, then the platform retains the latest score received from the source as the CTIX Confidence Score.
If source confidence is not retained for the new source, then the platform re-calculates the confidence score.
Timeline is missing in some objects ingested from the feed sources.
The timeline feature is available exclusively for indicator objects. However, during periods of heavy feed polling, there may be a delay in displaying the timeline. We recommend waiting for a while and then reloading the page.
CTIX provides you with the Exponential Backoff Entry setting while configuring an API feed source. This option enables CTIX to retry establishing a broken connection with the API feed.
Exponential Backoff Entry enables CTIX to retry establishing a broken connection with a configured API source. When enabled, it increases and extends the wait time between the retries after each failure.
For example, for a retry interval of 10 minutes, when a request fails for the first time we retry after 10 minutes, after 100 minutes for the second failure, after 1000 minutes for the third, and so on.
CTIX incrementally increases the wait time between consecutive retry requests after each failure. This setting allows the service some time off such that if the fault is due to service overload, it could resolve faster.
Enable automatic ingestion only for the feed sources and collections based on your requirements. If you enable automatic ingestion for all sources and collections, it may slow down your system or make the system unresponsive.
Navigate to Administration > Integration Management > Feed Sources > STIX, and click on any STIX source to view all the collections associated with it.
You can view the following set of information for a STIX source collection:
Name: The name of the collection.
Last Available Date: The last date and time when the platform performed a successful poll and received threat intel. For example, the platform fetched threat intel from the collection on May 28 at 11:30 AM and on May 29 at 10:00 AM. However, data was only received on May 28. Therefore, the last available date is displayed as May 28, 11:30 AM.
Polling Type: The configured polling type set for the collection. For example, Manual or Automatic.
Status: The current connectivity status of the collection, that is, if the platform is actively connected and receiving threat intel from the source.
Subscribed: The current subscription status of the collection. If the collection is enabled or disabled in the platform to poll threat intel.
Frequency (Min): The frequency at which the platform automatically polls threat intel from the collection. This is defined in minutes for automatic polling type.
Collection Type: The type of collection that defines if CTIX can only poll threat intel from the collection or if CTIX can send data back to the collection as well. For example, if a collection is of type Inbox, then it can receive threat intel from its subscribers. Whereas in the case of the Polling type, the collection can only share threat intel with its subscribers.