Skip to main content

Cyware Threat Intelligence eXchange

ThreatFox

Connector Category: Enrichment Tool

About Integration

ThreatFox offers a free, community-driven platform to share intel about indicators of compromise (IOCs) to identify malicious IOCs. Intel Exchange integrates with ThreatFox to enable analysts to add context and identify the malicious IP addresses, URLs, hashes, and domains ingested from various sources.

Configure ThreatFox as an Enrichment Tool

Configure ThreatFox as an enrichment tool to enrich IP address, URL, hash, and domain.

Before you Start

  • You must have the view, create, and update permissions for Enrichment Management.

  • You must have the base URL and API key of your ThreatFox account.

    Note

    Ensure that the API key includes the permissions to retrieve the details of IP addresses, URLs, hashes, and domains.

Steps

To configure Intel ExchangeThreatFox as an enrichment tool in , follow these steps:

  1. Go to Administration > Enrichment Management > Enrichment Tools.

  2. Search and select the ThreatFox app.

  3. Click Add Instance and enter the following details:

    • Account Name: Enter a unique account name to identify the instance. For example, Prod_ThreatFox.

    • Base URL: Enter the base URL of your ThreatFox instance. The default base URL is https://threatfox-api.abuse.ch/api/v1/.

    • API Key: Enter the API key of your ThreatFox account to authenticate communication between the Intel Exchange and ThreatFox servers.

    • Verify SSL: Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and ThreatFox servers. By default, Verify SSL is selected.

      Note

      We recommend you enable Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

  4. Click Save.

After successfully adding an account, you can view and enable the ThreatFox feed enrichment types. You can also configure quota to define a limit to the number of enrichment requests Intel Exchange makes to ThreatFox. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.

To understand the number of API calls and quota units consumed by the ThreatFox enrichment tool per polling, refer to the following table:

Enrichment Tool

Feed Enrichment Type

Number of API Calls

Quota Consumed

ThreatFox

IP

1

1

URL

1

1

Hash

1

1

Domain

1

1

You can configure an enrichment policy to automatically enrich threat data objects using the ThreatFox enrichment tool. For more information, see Configure Enrichment Policy.