Create Intel from RSS Feeds
You can directly create intel for the IOCs received in an RSS feed.
Before you Start
You must have View RSS Feeds and Create Intel permissions.
Steps
To create intel from the RSS feeds, do the following:
Go to Main Menu > Collection > RSS Feeds.
Select a feed, and click Create Intel.
Select the required IOCs from Content or create new objects to create intel.
For more information about creating new objects, see Create Objects for RSS Content.
To add additional metadata to the intel, click + Add Metadata. You can view the metadata retrieved from the RSS feed. You can modify the following details to create intel:
Title: Enter a title for intel within 100 characters.
Description: Enter a description for the intel within 2000 characters.
TLP: Select a TLP for the intel.
Confidence score: Select a confidence score for the intel.
Tags: Add tags to categorize the intel.
Custom Scores: Enter the values for the custom scores configured by the administrator in Administration > Configuration > Custom Scores.
Apply Metadata to all Objects: Select this option to apply the metadata to all selected objects of the intel. If you do not select this option then the metadata is applied only to the report object created for the RSS feed.
Note
The description is added only to the report object and not to the objects you selected to include in the intel.
Click Create Intel.
If you are creating intel for the first time from this feed, the platform automatically creates a new report object. Whereas if you are creating intel again with the same feed, the platform prompts you to choose a report object to store the intel:
Add to Existing Report: Select to create the intel in an existing report.
Create New Report: Select to create a new report object to create the intel.
Click Save.
You can view the intel created in Threat Data by the given report name.
Create Objects for RSS Content
You can create new threat data objects while creating intel for RSS feeds. This functionality proves useful when the platform misses parsing specific items during feed scanning. You can either establish a new object type or choose from existing parsed object types to introduce a new object.
Steps
To create objects while creating intel for RSS feeds, do the following:
Go to Main Menu > Collection > RSS Feeds.
Select a feed, and click Create Intel.
If the platform is unable to parse any objects in the selected feed, you can manually add objects if you find any.
To create new objects, do the following:
Create a new object type: Click Add Object opposite to Content and provide the following details:
Select an object type to assign to the new object. You can choose from threat actors, malware, ipv4 addr, ipv6 addr, Email addr, and more.
Enter the object value to create the same. For example, to create an ipv4 address object, select ipv4 addr as the object type, and enter 1.1.1.1 as its value.
Click Save.
To reset the fields, click Remove.
Create an object for parsed object types: Select a parsed object type, and click Add opposite to the selected type. Perform the following steps to create an object for a parsed object type:
Enter the object value to create the same. For example, to create a domain object type, click Add Domain opposite to Domain and enter a domain value.
Click Save.
To reset the fields, click Remove.
Similarly, you can create objects for other parsed object types.
If an object is incorrectly parsed you can modify the object. To modify an object, do the following:
Click the vertical ellipses of an object and select Edit.
Modify the object value and click Save.
Click Create Intel.
If you are creating intel for the first time from this feed, the platform automatically creates a new report object. Whereas if you are creating intel again with the same feed, the platform prompts you to choose a report object to store the intel:
Add to Existing Report: Select to create the intel in an existing report.
Create New Report: Select to create a new report object to create the intel.
Click Save.
You can view the intel created in Threat Data by the given report name.