API Integrations
Application Programming Interface (API) feeds are software intermediaries that allow two applications to communicate with each other. In Intel Exchange, administrators can configure API feed sources to receive threat intelligence data at specified time intervals. Each API feed source provides unique feed channels to receive different types of threat intelligence data, such as hashes, URLs, indicators, threat actors, and more feeds from various sources. You can manage the API connector configurations and start receiving threat intel packages from the configured API sources.
Add an API Feed Source Instance
You can add an API feed instance in Intel Exchange to use an API source. These sources retrieve threat intelligence data from third-party connectors.
Before you Start
Ensure that you have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions.
Ensure that you have the authentication keys and credentials of the selected API source to add an instance.
Steps
To add an API feed source instance, follow these steps:
Go to Administration > Integration Management, and select APIs under Feed Sources.
Click Add API Source, and select an application.
Click Add Instance.
Enter feed source information, such as an Instance Name, Base URL, and application-specific authentication credentials.
Each API feed source will have a unique set of authentication credentials. For more information about specific connector documentation, see Integrations.
Click Save.
You can add multiple instances for an API source based on your requirement by clicking Manage and Add More. However, for each instance, you will require a different set of authentication credentials.
Configure API Feed Channels
After you add an instance, enable the feed channels to poll threat data. Data received from each of these feed channels is stored in a collection.
Steps
To configure API feed channels, follow these steps:
Go to Administration > Integration Management, and select APIs under Feed Sources.
Select an API feed source, click on the vertical ellipsis in the upper-right corner, and select Manage.
Click Manage Feed Channels.
Select a feed channel, and enable the toggle switch to set the instance to active.
Enter the date and time to start polling feeds. This date must be within the last 15 days of the current date.
Enter the collection name within 100 characters to collect the feed data. The system creates a collection and puts all the feeds into the collection.
Select from the following Polling Cron Schedule to specify the poll type for your API feed source account:
Select Manual to manually poll for data.
Select Auto to automatically poll for data. In Polling Time enter the frequency in minutes for the automatic polling. By default, Auto is selected.
Set a Default TLP and Default Source Confidence to assign to the incoming feeds. These set values are useful if the incoming feeds do not have a TLP and confidence score already assigned to them.
Enter the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.
Select one or more Default Tags to identify and categorize the feeds.
Click Save.
You can view the updated changes in View Details.
Poll API Feeds Manually
You can manually poll data even if you enable Auto while configuring feed channels, auto polling is done automatically.
Steps
To manually poll API feeds, follow these steps:
Go to Administration > Integration Management > Feed Sources, select APIs
Select an API feed source and select a feed channel.
Click the vertical ellipsis and click Poll Now.
View API Feeds in CTIX
After configuring the integration, you can view the intel received from the feed source.
Steps
To view API feeds in Intel Exchange, follow these steps:
Go to Administration > Integration Management > Feed Sources, and select APIs.
Select the API feed source and select a feed channel.
Click the vertical ellipsis and select View Intel. You can view the IOCs received in the feeds from this source in Threat Data.
Supported Actions for API Feed Source
You can perform the following actions after you configure the API feed source:
Reset Tool: Click the ellipsis at the upper-right corner, to reset any added instances for the API feed source.
View Intel: Click View Intel at the upper-right corner to view the threat intelligence data received from the feed source in Threat Data.
View Details: Click the ellipsis on the feed channel and select View Details to view the details, such as the last polling information, selected polling type, user that modified any details, and more of the selected feed channel.
View Intel: Click the ellipsis on the feed channel and select View Intel to view the intel specifically received using that feed channel in Threat Data.
Edit Config: Click the ellipsis on the feed channel and select Edit Config to modify the configurations of the feed channel. You can modify the polling type, collection name, polling date, and the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.
Poll Now: Click the ellipsis on the feed channel and select Poll Now to manually poll data using the selected feed channel.