Skip to main content

Cyware Threat Intelligence eXchange

Cyberint

Connector Category: API Feed Source

About Cyberint

CTIX integrates with Cyberint to provide access to contextual threat intelligence. This empowers you to enhance threat-hunting capabilities, conduct more comprehensive threat research, and effectively assess potential attacks.

Use cases 

  • Identify potential threats at an early stage by leveraging streamlined deep and dark web intel.

  • Provide contextual threat intel to enrich and enhance your security platform, blocklists, threat research, and threat-hunting activities.

Benefits 

  • Enhance threat research and threat-hunting activities by providing in-depth insights and understanding of relevant threats.

  • Polls threat data to ensure the confidentiality and integrity of your organization.

Configure Cyberint as an API Feed Source

Configure Cyberint as an API feed source to receive data feeds from Cyberint.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions.

  • You must have the base URL and API key of your Cyberint account.

    Note

    Ensure that the API key includes the permissions to retrieve threat data. If the API key does not have permission to retrieve the threat data feed, then the feed channel is disabled automatically and displays a connection error.

Steps 

To configure Cyberint as an API feed source in Intel Exchange, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API Source.

  3. Search and select the Cyberint app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance. For example, Cyberint_intel.

  6. Enter the base URL of your Cyberint instance. For example, https://sample_url.com/sample_path/.

  7. Enter the API key of your Cyberint account to authenticate communication between the Intel Exchange and Cyberint servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and Cyberint servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

You can view and configure Cyberint feed channels to poll feeds. For more information, see API Integrations.

Note

  • It is recommended that you poll for Cyberint feeds at 00:01 hrs once a day to obtain a fresh set of feeds.

  • The minimum polling time you can enter to automatically poll feeds from Cyberint is 1440 minutes (1 day).

Configure Cyberint Feed Channels

Configure the feed channels to retrieve threat data feeds from Cyberint and store the feeds in a collection in the platform.

Steps 

To configure a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Cyberint app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel, and turn on the toggle.

  6. Enter the date and time to start polling feeds. Select a date within 15 days from the current date.

  7. Enter the name of the collection to group the feed data. For example, CS Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

  8. Select from one of the following Polling Cron Schedule types to define when to poll the data: 

    • Manual: Allows you to manually poll from the source collection. 

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  9. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  10. Select Retain Source Provided Confidence Score to keep the confidence score reported by Cyberint without undergoing recalculation using the Intel Exchange confidence score engine. Cyware recommends you retain the source-provided confidence score for faster ingestion of feeds.

    Note

    If you choose to retain the source-provided confidence score, it will remain unchanged after ingestion. If the source does not provide a confidence score, the default configured value will be applied, and this value will also remain unchanged since the CTIX score calculation engine will not process it.

  11. Select the tags to identify and categorize the feeds.

  12. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Test Cyberint Feed Channel Connectivity

Test the connectivity of the Cyberint API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.

Before you Start

  • Ensure that the Cyberint API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the Cyberint app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity testing results in an error, then the working status shows Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, Intel Exchange disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

Cyberint Feed Channels

Intel Exchange provides multiple channels to poll feeds from Cyberint. The following table lists all the feed channels and the API endpoints used for each feed channel:

Feed Channel 

API Endpoint 

Retrieve Domain Feeds Data

https://{environment}.cyberint.io/ioc/api/v1/feed/daily/?ioc_type=domain 

Retrieve URL Feeds Data

https://{environment}.cyberint.io/ioc/api/v1/feed/daily/?ioc_type=url 

Retrieve SHA256 Hash Feeds Data

https://{environment}.cyberint.io/ioc/api/v1/feed/daily/?ioc_type=file/sha256 

Retrieve IP Feeds Data

https://{environment}.cyberint.io/ioc/api/v1/feed/daily/?ioc_type=ipv4