Incoming feed - Bitdefender Advanced Threat Intelligence Hash Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Bitdefender Advanced Threat Intelligence Hash Feed

Content type

Bitdefender Hash JSON

Ingested data

Ingests File Hash Watchlist indicators from these feeds:

  • APT-filehashes-jsonl-feed

Endpoint(s)

https://feeds.ti.bitdefender.com/

Processed data

See Data mapping.

Requirements#

  • Bitdefender Advanced Threat Intelligence JWT token

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Bitdefender Advanced Threat Intelligence Hash Feed from the drop-down menu.

    Content type*

    Select Bitdefender Hash JSON from the drop-down menu.

    URL*

    By default, this is set to https://feeds.ti.bitdefender.com/.

    JWT Token*

    Set this to your Bitdefender Advanced Threat Intelligence JWT token.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from

    Not available for this transport type.

    The Bitdefender Advanced Threat Intelligence Hash Feed always downloads the latest available data from the last 30 days.

  3. Store your changes by selecting Save.

Execution schedule#

Bitdefender Advanced Threat Intelligence updates their feeds once each day at 0900 GMT+0.

For best results, either:

  • Set your execution schedule to match this, or

  • Set your execution schedule to None to only run the feed manually.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem
    

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Data mapping#

Map indicators#

This table shows how each record from the Bitdefender Advanced Threat Intelligence Hash Feed is mapped to Indicator on the platform:

Indicator field name

Mapped from Bitdefender Hash JSON

Example value

Description

Title

  • response[].ioc

9a05f01e247e0bc6cac7dc2508b492234039d93885ffba49b7fa769af910d451

Indicator from feed source.

Analysis

  • response[].threat_name

  • response[].threat_family

Threat name: phishing-unknown Threat family: phishing

Contains information about threats associated with the domain.

Types

  • N/A

File Hash Watchlist

Indicators from this feed are always ingested as File Hash Watchlist indicators.

Confidence

  • N/A

Unknown

Indicators from this feed are always ingested with Confidence set to Unknown.

Likely Impact

  • N/A

Unknown

Indicators from this feed are always ingested with Likely Impact set to Unknown.

Estimated time

  • Various

Various

See Map indicator timestamps.

Tags

  • response[].threats[].industries

  • response[].threat_family

  • response[].tags[]

Threat family name

Indicators are tagged with values found in these fields from Bitdefender Hash JSON.

Map indicator timestamps#

The following table describes how Bitdefender Advanced Threat Intelligence Indicator timestamps are mapped to Indicator timestamps on the platform.

Indicator estimated time field

CrowdStrike JSON field

Estimated threat start time

response[].threats[].first_seen

Estimated threat end time

response[].threats[].expire_at

Estimated observed time

response[].threats[].first_seen

Half-life

By default, set to Use default value.

Ingested

Date and time ingested.

Supported observables#

The following table describes the observable types supported for this feed, and how they’re mapped from Bitdefender Hash JSON:

Observable type

Maliciousness

Maps from Bitdefender Hash JSON

File hash. See Map file hash types.

High

  • response[].ioc

File hash. See Map file hash types.

Unknown

  • response[].threats[].file_hashes[].value

Country

Safe

  • response[].regions

Country Code

Safe

  • response[].regions

Map file hash types#

Value in Bitdefender Hash JSON

Maps to EclecticIQ Observable type

md5

Hash-md5

sha1

Hash-sha1

sha256

Hash-sha256

sha512

Hash-sha512

crc32

Not a supported observable type. Set in indicator Analysis field.