Retrieve NCFTA Feeds into Intel Exchange
NCFTA uses MISP as a data-sharing platform to share threat intelligence with partners. MISP is an open-source threat intelligence platform that facilitates sharing, storing, and correlating information on indicators of compromise (IOCs).
This article describes how to configure the MISP API feed source in Intel Exchange (CTIX) to receive NCFTA feeds.
Steps
Configure NCFTA Feed Source
NCFTA uses MISP as the intel-sharing platform. Since Intel Exchange supports integration with MISP, you can configure the MISP API feed source to receive NCFTA feeds into Intel Exchange.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL and authentication key of the NCFTA MISP instance.
Steps
To configure a MISP as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Click Add API Source.
Search and select the MISP app.
Click Add Instance and enter the following details:
Instance Name: Enter a unique name to identify the instance. For example, NCFTA-MISP.
Base URL: Enter the following base URL to receive NCFTA feeds:
https://misp.ncfta.net
API Key: Enter the API key to authenticate communication between the Intel Exchange and NCFTA MISP servers.
Proxy URL: To ingest feeds from MISP using a proxy, enter the URL of the proxy server. For example,
https://www.sampledomain.com.Verify SSL: Select this option to verify the SSL certificate and secure the connection between the Intel Exchange and NCFTA MISP servers. By default, Verify SSL is selected.
Note
We recommend you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
After the NCFTA MISP instance is configured successfully, you can view and configure the feed channel to receive feeds.
Configure NCFTA Feed Channel
Configure the feed channel to retrieve threat data feeds from NCFTA and store the feeds in a collection in Intel Exchange.
Steps
To configure the NCFTA feed channel, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the MISP app.
Click the vertical ellipsis on the top right corner and select Manage.
Click Manage Feed Channels and select the Retrieve MISP Events feed channel.
Enable the feed channel and enter the following details:
Start Date and Time: Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Collection Name: Enter the name of the collection to store the feed data. For example, NCFTA Feeds. A collection is created with the specified name to store all the feeds from the feed channel.
Published: Select this option to receive only published events from NCFTA. If you do not select this option, then Intel Exchange polls all events including unpublished events.
Filters: To retrieve events for specific sharing groups, use the following filter:
Filter: Select Sharing Group. You can view the list of sharing groups available in the configured NCFTA MISP instance in Value.
Value: Select the sharing groups to filter events. For example, TNT Listserv Intel, Cyfin Listserv Intel, RAOLF Listserv Intel, Malicious Threat Indicators (MTI), DGA, Tor Nodes Data, and more.
Polling Cron Schedule: Select from one of the following polling types to define the polling schedule:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Default TLP: Set a default TLP to assign to the feeds that do not have a TLP already assigned by the source. By default, the default TLP is set to Amber.
Default Source Confidence: Set a default Confidence Score to assign to the feeds that do not have a score already assigned by the source. By default, the default Confidence Score is set to 100.
Tags: Select the tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel.
Test Feed Channel Connectivity
Test the connectivity of the NCFTA feed channel to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.
Before you Start
Ensure that the MISP API integration is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the MISP app.
Select the Retrieve MISP Events feed channel, and then click the vertical ellipses and select View Details.
In Working Status, click Test Connectivity.
If the connection is established, then the working status displays Working. Intel Exchange automatically polls feeds from NCFTA based on the configured polling schedule or you can manually poll feeds. Click View Intel to view the feeds received from NCFTA.
Note
NCFTA feeds are ingested with the source as MISP.
If the connectivity testing results in an error, then the working status displays Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When the connectivity of a feed channel breaks, the feed channel is disabled automatically and reconnection is attempted three times every hour. After a successful reconnection attempt, the feed channel is enabled automatically.
To understand the error codes and troubleshoot broken connectivity, see Troubleshoot Integrations.
To know more about the MISP objects ingested into Intel Exchange, see MISP Objects Ingested in CTIX.