ReversingLabs
Connector Category: API Feed Source
About Integration
CTIX integrates with ReversingLabs Threat Intelligence to ingest intel feeds related to malware.
Use Cases
Enhance detection, analysis, and response efficiency by leveraging an authoritative goodware and malware file reputation database.
Monitor malware feeds for specific threats like Ransomware, APT, CVE, financial, and retail sources to stay ahead of emerging threats.
Correlate with other sources to get better intelligence.
Benefits
Take proactive action to prevent and mitigate malware infections.
Configure ReversingLabs as an API Feed Source
Configure ReversingLabs as an API feed source in CTIX to retrieve malware data feeds.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.
You must have the base URL, username, and password of your ReversingLabs account.
Important
Ensure that your account includes the permissions to retrieve malware. If your account does not have permission to retrieve malware feed, then the feed channel is disabled automatically and displays a connection error.
Steps
To configure ReversingLabs as an API feed source in CTIX, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Click Add API Source.
Search and select the ReversingLabs app.
Click Add Instance.
Enter a unique name to identify the instance. For example, Prod-ReversingLabs.
Enter the base URL of your ReversingLabs instance. For example,
https://data.reversinglabs.com/api/.Enter the username and password to authenticate communication between the CTIX and ReversingLabs servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and ReversingLabs servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
After the ReversingLabs instance is configured successfully, you can view and configure the ReversingLabs feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure ReversingLabs Feed Channels
Configure the feed channels to retrieve threat data feeds from ReversingLabs and store the feeds in a collection.
Steps
To configure a ReversingLabs channel, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the ReversingLabs app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel and enable the toggle.
Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Enter the name of the collection to group the feed data. For example, ReversingLabs Feeds. CTIX creates the collection and stores all the feeds from the feed channel.
Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.
Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.
Select any tags to identify and categorize the feeds.
(Optional) Enable the Broken Connection Retry Policy to allow the CTIX application to re-attempt any failed connection attempts to your ReversingLabs account. The system will attempt to connect 10 times.
You can enter the retry interval in days, minutes, or weeks and also specify the retry interval and the retry count.
Enable Exponential Backoff Entry to progressively extend the wait time between retries for consecutive error responses. For example, for a 10-minute exponential retry interval, the system will re-attempt to connect in 10, 100, 1000, 10000, and so on minutes till the retry count value is met. Use this option to give your system resources some breathing time and resolve any service overload issues.
Click Save.
The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.
Test ReversingLabs Feed Channel Connectivity
Test the connectivity of the ReversingLabs API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.
Before you Start
Ensure that the ReversingLabs API integration is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the ReversingLabs app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity testing results in an error, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Refer to the following table to understand the error codes:
HTTP Error Code | Error Description | Reason for the Error | Solution |
|---|---|---|---|
400 | Bad Request | The server is unable to process the request due to an error on the client side. | Contact Cyware Support. |
401 | Unauthorized | Either the integration credentials are incorrect or expired. | Check the validity of the credentials and update the credentials in the instance configuration. |
403 | Forbidden | The integration credentials do not have permission to poll feeds from the channel. | Update the permissions of the credentials or enter new credentials that include permission to poll feeds from the channel. |
404 | Not Found | The requested resource could not be found on the server. Either the base URL or the endpoint has been changed. | Contact Cyware Support. |
429 | Too Many Requests | The maximum number of requests allowed for the integration credentials is reached for the current duration. | Update the permission of the credentials or wait until the limit resets for the next duration cycle. |
502 | Bad Gateway | The server acting as a gateway or proxy received an invalid response from the upstream server. | Try again later or contact ReversingLabs support. |
ReversingLabs Feed Channels
CTIX provides a channel to poll feeds from ReversingLabs. The following table lists the feed channel and the API endpoint used to retrieve feeds:
Feed Channel | API Endpoint |
|---|---|
Fetch Malware Feeds |
|