Threatfox
Notice
This integration is available in Intel Exchange starting v.3.7.4.0 and 3.6.4.0 (Early Access).
Connector Category: Enrichment tool
About Integration
Intel Exchange integrates with Threatfox to enhance threat data by providing critical insights into malware, hashes (MD5, SHA256), IPs, domains, and URLs. This enrichment helps you gain a deeper context on malicious activity, empowering more informed decision-making and faster threat response.
Configure Threatfox as an Enrichment Tool
Configure Threatfox in Intel Exchange to enrich IP addresses, domains and URLs.
Before you Start
Ensure that you have the base URL and API token of your Threatfox account.
Ensure that your user group has Create, Update, and View permissions for enrichment tools and their associated policies in Intel Exchange.
Note
Ensure that the API key includes the permissions to retrieve threat data details.
Steps
To configure Threatfox as an enrichment tool in Intel Exchange, follow these steps:
Sign in to Intel Exchange and go to Administration > Enrichment Management > Enrichment Tools.
Search and select the Threatfox enrichment tool.
Click Add Account and enter the following details:
Account Name: Enter a unique account name to identify the instance. For example, Threatfox Prod.
Base URL: Enter the base URL of your Threatfox instance. The default base URL is
https://threatfox-api.abuse.ch/api/v1.API Key: Enter the API key of your Threatfox account to authenticate communication between Intel Exchange and Threatfox servers.
Note
While the API can return responses without an API key, using a key ensures access to complete and reliable data. For more information, refer to the Threatfox documentation.
Verify SSL: Enable this option to validate the SSL certificate and secure the connection between Intel Exchange and Threatfox servers. This option is enabled by default.
Note
Cyware recommends you select Verify SSL. If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection.
4. Click Save.
After successfully adding an account, you can view and enable Threatfox feed enrichment types. You can also configure a quota to set a limit on the number of enrichment requests the Threatfox account can make. Once the quota is exhausted, no further enrichment requests can be made until the quota resets for the next quota duration. For more details, refer to Define Quota in Configure Enrichment Tools.
To understand the number of API calls and quota units consumed by the Threatfox enrichment tool per polling, refer to the following table.
Enrichment Tool | Feed Enrichment Type | No. of API calls | Quota Consumed |
|---|---|---|---|
Threatfox | Retrieve Domain Details | 1 | 1 |
Retrieve IP Details | 1 | 1 | |
Retrieve URLs Details | 1 | 1 | |
Retrieve Hash Details | 1 | 1 |