Flashpoint Ignite
Connector Category: API Feed Source
Notice
If you are using Flashpoint as an API feed source in Intel Exchange, refer to the Migrating to Flashpoint Ignite Feed Source section before you configure Flashpoint Ignite as an API feed source.
About Flashpoint Ignite
Flashpoint Ignite is an advanced intelligence platform that helps organizations enhance threat detection and risk mitigation capabilities. Intel Exchange integrates with Flashpoint Ignite to retrieve feeds related to threat intel reports, vulnerabilities, and indicators of compromise (IOCs). This integration enables you to gain visibility into intelligence landscapes across cyber threats and vulnerabilities to make informed decisions.
Use Cases
Verify product vulnerabilities in your environment by searching Intel Exchange by product name.
Detect and block malicious IOCs.
Retrieve vulnerabilities and filter them using their Common Vulnerability Scoring System (CVSS) scores.
Extract customer-premises equipments (CPEs) or products directly via relations, and check if any product in your configuration management database (CMDB) has vulnerabilities.
Assess exploitability by analyzing the description, custom attributes, CVSS v3 scores, exploit code maturity, and other relevant information.
Configure Flashpoint Ignite as an API Feed Source
Configure Flashpoint Ignite as an API feed source to retrieve reports, vulnerabilities, and indicator feeds from Flashpoint Ignite.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.
You must have the base URL and bearer token of your Flashpoint Ignite account.
Important
Ensure that the bearer token includes the permissions to retrieve reports, vulnerabilities, and indicator feeds. If the bearer token does not have permission to retrieve a specific feed, then the respective feed channel is disabled automatically and displays a connection error.
If you have the API credentials of the Flashpoint tool, note that the FPTools platform and API will be decommissioned on August 1, 2024. For more information on how to generate the Flashpoint Ignite bearer token, see Generating an API Token in Ignite.
Steps
To configure Flashpoint Ignite as an API feed source in Intel Exchange, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Click Add API Source.
Search and select the Flashpoint Ignite app.
Click Add Instance and enter the following details:
Instance Name: Enter a unique name to identify the instance. For example, Prod-Flashpoint Ignite.
Base URL: Enter the base URL of your Flashpoint Ignite instance. The default base URL is
https://api.flashpoint.io
.Bearer Token: Enter the API token to authenticate communication between the Intel Exchange and Flashpoint Ignite servers.
Verify SSL: Select Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and Flashpoint Ignite servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
Click Save.
After the Flashpoint Ignite instance is configured successfully, you can view the feed channels available for the instance. You can configure multiple instances by clicking Manage > Add More.
Configure Flashpoint Ignite Feed Channels
Configure the Flashpoint Ignite feed channels to retrieve threat intel feeds related to reports, vulnerabilities, and IOCs.
Steps
To configure a feed channel, follow these steps:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the Flashpoint Ignite app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel and turn on the toggle to enable the channel.
Enter the following details:
Start Date and Time: Enter the date and time within 15 days from the current time to start polling feeds.
Collection Name: Enter the collection name to group the feeds retrieved from the channel. For example, Flashpoint Ignite Reports. A new collection is created and all the feeds retrieved from the feed channel are stored in the collection.
Polling Cron Schedule: Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. Enter a frequency in minutes between 240 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Note
Various report schedules for Flashpoint Ignite's threat intel reports range from daily to quarterly. Therefore, we recommend you to set a minimum polling frequency of 1440 (24 hours) for the Retrieve Report Feeds channel.
Default TLP: Set a default TLP to assign to the feeds that do not include a source TLP. By default, the default TLP is set to Amber.
Default Source Confidence: Set a default Confidence Score to assign to the feeds. Since Flashpoint Ignite does not provide any Confidence Score, the default source confidence is applied to all ingested feeds. By default, the default Confidence Score is set to 100.
Default Tags: Select the tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel. Similarly, you can configure other feed channels of the Flashpoint Ignite API feed source.
Flashpoint Ignite API Rate Limits
The Flashpoint Ignite API credentials include the following API request rate limits:
Burst throttle rate: You can send a maximum of 120 API requests per minute.
Sustained throttle rate: You can send a maximum of 5000 API requests per day.
Test Flashpoint Ignite Feed Channel Connectivity
Test the connectivity of the Flashpoint Ignite API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.
Before you Start
Ensure that the Flashpoint Ignite API feed source is enabled.
Ensure that the feed channel you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, do the following:
Go to Administration > Integration Management and select APIs under FEED SOURCES.
Search and select the Flashpoint Ignite app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity testing results in an error, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When the connectivity of a feed channel breaks, Intel Exchange disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
For more information on how to poll feeds manually, view ingested intel, and manage API feed sources, see API Integrations.
Flashpoint Ignite Feed Channels
The following table lists all the feed channels and the Flashpoint Ignite API endpoints used for each feed channel.
Feed Channel | API URL | Comment |
---|---|---|
Retrieve Report Feeds | {{base_url}}/finished-intelligence/v1/reports {{base_url}}/technical-intelligence/v1/event?report= | The featured reports of Flashpoint Ignite are ingested with the Flashpoint Featured Report tag. |
Retrieve Vulnerability Feeds | {{base_url}}/vulnerability-intelligence/v1/vulnerabilities/ {{base_url}}/vulnerability-intelligence/v1/vulnerabilities/{id} | For premium users, the vulnerability feeds include some additional attributes. For more information, see the List Vulnerabilities API. |
Retrieve Indicator Feeds | {{base_url}}/technical-intelligence/v1/event | This feed channel returns a limited number of indicators per poll. For more information, see the List and Search API. |
Note
Vulnerability feeds use CVE ID as the value. Flashpoint Ignite may provide vulnerabilities that have not been published yet, with the vulnerability title as the value instead of the CVE ID. When the vulnerabilities are later published, the Flashpoint Ignite API feed source will ingest them during the subsequent polling based on your configuration settings and create a related vulnerability with the CVE ID as the value. Therefore, we recommend you handle both CVE IDs and vulnerability titles as values when using playbooks or Intel Exchange Open APIs.
Migrating to Flashpoint Ignite Feed Source
If you are using Flashpoint as an API feed source in Intel Exchange, follow these steps to configure Flashpoint Ignite as an API feed source.
Migrate from the Flashpoint Tools platform to the Flashpoint Ignite platform. For a seamless migration, contact your Flashpoint Customer Success representative.
After migrating to the Flashpoint Ignite platform, create a bearer token. For more information on generating Flashpoint Ignite bearer token, see Generating API Token in Ignite.
Update the existing Flashpoint API feed source instance with the Flashpoint Ignite base URL (
https://api.flashpoint.io
) and bearer token.
Flashpoint Ignite API feed source is configured. The feed channels will start retrieving feeds from the Flashpoint Ignite platform based on the polling preference you have configured for the channels.