SlashNext
SlashNext integration with the CTIX application provides the latest domain, IP, and URL feeds. This integration can help you add contextual information to seemingly isolated threat data, give you visibility into the digital attack surface, and make threat investigations easier. You also gain insights as to who is attacking you, their tools and systems, and the indicators of compromise.
About SlashNext
SlashNext protects users from phishing attacks. While email security systems help block most—but not all—phishing emails, SlashNext solutions help close the gaps and extend protection to less well-defended attack vectors, and to add social engineering payloads, dramatically reducing the risk of breach.
Configure SlashNext App in CTIX
SlashNext is available as an out-of-the-box integration in the CTIX application.
Before you Start
Your user group should have permissions to update, create, and view feed sources.
You must have the base URL and the access key of your SlashNext account.
Steps
Use the following steps to configure the app in the CTIX application:
Sign in to the CTIX application.
Navigate to Administration, select Integration Management, and select APIs under FEED SOURCES.
Click Add API Source.
Use the search bar to locate SlashNext and click on the app.
Click Add Instance.
Enter the instance name, base URL, and access key.
To secure the connection between CTIX and SlashNext servers, click Verify SSL.
Click Save.
Configure Feed Channels for the SlashNext Integration
Feed channels configure the threat feed that you receive through this integration. The data received from this feed channel is stored in a collection. You can fetch indicators such as domain, IP, and URLs through this integration.
Steps
Navigate to Administration, select Integration Management, and select APIs under FEED SOURCES.
Use the search bar to locate SlashNext and click on the app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel and enable it.
Enter the name of the collection to store the feed's data. The system creates the collection and put all the feeds into this collection.
Enter the start date and time to poll data from the source.
Select the Polling Cron Schedule to specify the poll type for your SlashNext account.
Select Manual to manually poll for the feeds.
Select Auto to automatically poll for threat intel from sources at specific time intervals. Enter a frequency in minutes for the automatic polling.
Select a default TLP to assign for the feeds.
Set a default confidence score for the feeds.
Select any tags that you may want to associate with the feeds.
Enable Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your SlashNext account. The system will attempt to connect 10 times.
You can enter the retry interval units in minutes, days, or weeks and also specify the retry interval and the retry count.
Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive failed attempts. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on till the retry count is met. Use this option to give your system resources some breathing time and resolve any service overload issues.
Click Save.
You can configure multiple instances of this integration by clicking Manage and Add More.
Poll for SlashNext Feeds Manually
If you enable Auto Polling while configuring feed channels, the polling will be done automatically. However, if you want to poll for information manually, use the following process.
Steps
Navigate to Administration, select Integration Management, and select APIs under FEED SOURCES.
Select SlashNext.
Select the feed channel.
Click the vertical ellipsis and select Poll Now.
Note
You can poll data only from the enabled feeds.View SlashNext Feeds in CTIX
After configuring the SlashNext integration on the CTIX application, you can view the intel received on the CTIX application.
On the SlashNext integration configuration page, select View Intel.
View the IOCs received in the feeds from this source in Threat Data. Some IOCs received in the feeds can not be mapped to the STIX domain objects are mapped to the STIX custom objects.