Skip to main content

Cyware Threat Intelligence eXchange

PhishLabs

Connector Category: API Feed Source

About Integration

CTIX integrates with PhishLabs to retrieve indicator, threat, case, incident, and ETI feeds.

Use Cases 

  • Understand the threat patterns and reveal unknown threats.

  • Review evidence details to make an informed decision on the intel

  • Get rich context for faster analysis of real-time threat intelligence feeds.

Benefits 

  • Prioritize and uncover threats by using real-time access to the rich context.

  • Automatically collect threat intel from PhishLabs.

Configure PhishLabs as API Feed Source

Configure PhishLabs as an API feed source in CTIX to retrieve threat data feeds from PhishLabs.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.

  • You must have the base URL, username, and password of your PhishLabs account.

Important

Ensure that the account includes the permissions to retrieve indicator, threat, case, incident, and ETI feed data. If the account does not have permission to retrieve a threat data feed, then the respective feed channel is disabled automatically and displays a connection error.

Steps 

To configure PhishLabs as an API feed source in CTIX, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Click Add API Source.

  3. Search and select the PhishLabs app.

  4. Click Add Instance.

  5. Enter a unique name to identify the instance. For example, Prod-PhishLabs.

  6. Enter the base URL of your PhishLabs instance. For example, https://api.phishlabs.com/idapi/v1/.

  7. Enter the username and password of your PhishLabs account to authenticate communication between the CTIX and PhishLabs servers.

  8. Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and PhishLabs servers. By default, Verify SSL is selected.

    Note

    Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.

  9. Click Save.

The PhishLabs instance is configured and you can view the PhishLabs feed channels. You can configure multiple instances of this integration by clicking Manage > Add More.

Configure PhishLabs Feed Channels

Configure the respective feed channels to retrieve threat data feeds from PhishLabs and store the feeds in a collection.

Steps 

To configure a PhishLabs feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the PhishLabs app.

  3. Click the ellipsis on the top right corner and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel and turn on the toggle.

  6. Enter a name for the collection to group feed data. For example, PhishLabs Indicator Feeds. CTIX creates the collection and stores all the feeds from the feed channel.

  7. Select from one of the following Polling Cron Schedule types to define when to poll the data:

    • Manual: Allows you to manually poll from the source collection.

    • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.

      • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

  8. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.

  9. Select the tags to identify and categorize the feeds.

  10. Click Save.

The feed channel is configured and you can poll feeds from the channel. You can enable other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.

Test PhishLabs Feed Channel Connectivity

Test the connectivity of the PhishLabs API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start 

  • Ensure that the PhishLabs API integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, do the following:

  1. Go to Administration > Integration Management > FEED SOURCES > APIs.

  2. Search and select the PhishLabs app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, CTIX disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, CTIX enables the feed channel automatically.

To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.

PhishLabs Feed Channels

CTIX provides multiple channels to poll feeds from PhishLabs. The following table lists all the feed channels and the PhishLabs API endpoints used for each feed channel.

Feed Channel

API URL

Fetch Indicator Feeds

https://ioc.phishlabs.com/api/v1/feed/stix 

Fetch Threat Feeds

https://threatfeed.phishlabs.com/threatfeed/v1 

Fetch Case Feeds

https://caseapi.phishlabs.com/idapi/v1/incidents/ 

Fetch Incident Feeds

https://caseapi.phishlabs.com/idapi/v1/incidents/ 

Fetch ETI Feeds

https://ioc.phishlabs.com/api/v1/feed