Skip to main content

Cyware Threat Intelligence eXchange

TeamT5 ThreatVision

Connector Category: API Feed Source

Notice

The integration is available in Intel Exchange from v3.7.4.0 (Early Access).

Overview

What is this integration about? 

Intel Exchange integrates with TeamT5 ThreatVision to provide up-to-date intelligence on cyber threats, including adversaries, malware, vulnerabilities, and attack patterns. This integration enhances security operations by offering valuable insights into evolving threats.

TeamT5 ThreatVision provides intelligence on the following threat objects:

  • Threat Actors (Adversaries)

  • Malware

  • Vulnerabilities

  • Attack Patterns

  • Intelligence Reports

  • Indicators (IPv4, domains, hashes – MD5, SHA1, SHA256)

  • Tools

  • Identities

  • Observables

Configure TeamT5 as a Feed Source

Configure TeamT5 ThreatVision as an API feed source to receive threat data feeds.

Before you Start 

  • You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in Intel Exchange.

  • You must have the base URL, client ID, and client secret of your TeamT5 account.

Steps 

To configure TeamT5 as an API feed source in Intel Exchange, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Click Add API Source.

  3. Search and select TeamT5 ThreatVision.

  4. Click Add Instance.

    1. Enter a unique name to identify the instance name. For example, TeamT5-Prod.

    2. Enter the base URL of your TeamT5 instance. The default base URL is https://api.threatvision.org/api/v2/.

    3. Enter the client ID and secret key to authenticate communication between the Intel Exchange and TeamT5 ThreatVision servers.

    4. Select the Verify SSL to verify the SSL certificate and secure the connection between the Intel Exchange and TeamT5 ThreatVision servers. By default, Verify SSL is selected.

      Note

      Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.

9. Click Save.

After the TeamT5 instance is configured successfully, you can view the TeamT5 feed channels. You can configure multiple instances by clicking Manage > Add More.

Configure TeamT5 Feed Channels

Configure the feed channel to retrieve threat data feeds from TeamT5.

Steps 

To configure the feed channels, follow these steps:

  1. Go to Administration > Integration Management. In Feed Sources, click APIs.

  2. Search and select the TeamT5 app.

  3. Click the vertical ellipsis, and select Manage.

  4. Click Manage Feed Channels.

  5. Select a feed channel, and turn on the toggle.

    1. Enter the date and time to start poling feeds. Select a date within 15 days from the current date.

    2. Enter the name of the collection to group the feed data. For example, CS Feeds. Intel Exchange creates the collection and stores all the feeds from the feed channel.

    3. Select from one of the following Polling Cron Schedule types to define when to poll the data: 

      • Manual: Allows you to manually poll from the source collection. 

      • Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto. 

        • Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.

    4. Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100, respectively.

    5. Select any tags to identify and categorize the feeds.

  6. Click Save.

Test Feed Channel Connectivity

Test the connectivity of the TeamT5 API feed channels to ensure that the connection with the correct API endpoint is established and that you have permission to poll feeds.

Before you Start 

  • Ensure that the TeamT5 integration is enabled.

  • Ensure that the feed channel for which you want to test connectivity is enabled.

Steps 

To test the connectivity of a feed channel, follow these steps:

  1. Go to Administration > Integration Management > Feed Sources > APIs.

  2. Search and select the TeamT5 app.

  3. On a feed channel, click the vertical ellipses and select View Details.

  4. In the Working Status section, click Test Connectivity.

If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows a Connection Error. Hover over the tooltip next to Connection Error to view the error code.

Note

When the connectivity of a feed channel breaks, Intel Exchange disable the channel and re-attempt to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, Intel Exchange enables the feed channel automatically.

TeamT5 Feed Channels

The following table lists the feed channel and the API endpoint used to retrieve feeds from TeamT5:

Feed Channel

API Endpoint

Description

Retrieve Threat Actors Feeds

{{base_url}}adversaries 

Retrieves a list of all adversaries (threat actors).

{{base_url}}adversaries/search?query={adversary_name} 

Searches for a specific adversary by name.

{{base_url}}adversaries/:name/reports 

Retrieves reports related to the specified adversary.

{{base_url}}adversaries/:name/malwares 

Retrieves malwares related to the specified adversary.

{{base_url}}adversaries/:name/capabilities 

Retrieves capabalities (attack patterns) related to the specified adversary.

{{base_url}}adversaries/:name/samples 

Provides file samples and hash observables linked to the adversary.

Fetch Attack Pattern Feeds

{{base_url}}mitre/techniques 

Retrieves all MITRE ATT&CK techniques.

{{base_url}}mitre/tactics 

Retrieves all MITRE ATT&CK tactics.

{{base_url}}mitre/techniques/:serial_number/samples 

Provides file samples and hash observables related to the specified MITRE technique.

Retrieve Vulnerability Feeds

{{base_url}}vulnerability/advisory_lists 

Retrieves a list of all advisories with their release dates.

{{base_url}}vulnerability/advisory_lists/:name 

Retrieves all vulnerabilities associated with a specific advisory.

Retrieve Reports Feeds

{{base_url}}reports 

Retrieves all reports.

Fetch Malware Feeds

{{base_url}}malwares 

Retrieves all malwares.

{{base_url}}malwares/search?query={malware_name} 

Searches for a specific malware by name.

{{base_url}}malwares/:name/reports 

Retrieves intelligence reports related to the specified malware.

{{base_url}}malwares/:name/adversaries 

Retrieves adversaries (threat actors) related to the specified malware.

{{base_url}}malwares/:name/capabilities 

Retrieves capabalities (attack patterns) related to the specified malware.

{{base_url}}malwares/:name/samples 

Provides file samples and hash observables associated with the malware.

Fetch Indicator Feeds

{{base_url}}ioc_bundles 

Retrieves all Indicator of Compromise (IOC) bundles with STIX URLs and related reports.

{{base_url}}ioc_bundles/{ioc_bundle_id}.stix 

Retrieves detailed IOC objects in STIX 2.1 format, including relations.