Incoming feed - Bitdefender Advanced Threat Intelligence Hash Feed#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
---|---|
Transport types |
Bitdefender Advanced Threat Intelligence Hash Feed |
Content type |
Bitdefender Hash JSON |
Ingested data |
Ingests File Hash Watchlist indicators from these feeds:
|
Endpoint(s) |
|
Processed data |
See Data mapping. |
Requirements#
Bitdefender Advanced Threat Intelligence JWT token
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Note
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Bitdefender Advanced Threat Intelligence Hash Feed from the drop-down menu.
Content type*
Select Bitdefender Hash JSON from the drop-down menu.
URL*
By default, this is set to
https://feeds.ti.bitdefender.com/
.JWT Token*
Set this to your Bitdefender Advanced Threat Intelligence JWT token.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
For more information, see SSL certificates.
Start ingesting from
Not available for this transport type.
The Bitdefender Advanced Threat Intelligence Hash Feed always downloads the latest available data from the last 30 days.
Store your changes by selecting Save.
Execution schedule#
Bitdefender Advanced Threat Intelligence updates their feeds once each day at 0900 GMT+0.
For best results, either:
Set your execution schedule to match this, or
Set your execution schedule to None to only run the feed manually.
SSL certificates#
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
eclecticiq
user.Owned by
eclecticiq:eclecticiq
.
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
Where
/path/to/cert.pem
is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.
Data mapping#
Map indicators#
This table shows how each record from the Bitdefender Advanced Threat Intelligence Hash Feed is mapped to Indicator on the platform:
Indicator field name |
Mapped from Bitdefender Hash JSON |
Example value |
Description |
---|---|---|---|
Title |
|
9a05f01e247e0bc6cac7dc2508b492234039d93885ffba49b7fa769af910d451 |
Indicator from feed source. |
Analysis |
|
Threat name: phishing-unknown Threat family: phishing |
Contains information about threats associated with the domain. |
Types |
|
File Hash Watchlist |
Indicators from this feed are always ingested as File Hash Watchlist indicators. |
Confidence |
|
Unknown |
Indicators from this feed are always ingested with Confidence set to Unknown. |
Likely Impact |
|
Unknown |
Indicators from this feed are always ingested with Likely Impact set to Unknown. |
Estimated time |
|
Various |
|
Tags |
|
Threat family name |
Indicators are tagged with values found in these fields from Bitdefender Hash JSON. |
Map indicator timestamps#
The following table describes how Bitdefender Advanced Threat Intelligence Indicator timestamps are mapped to Indicator timestamps on the platform.
Indicator estimated time field |
CrowdStrike JSON field |
---|---|
Estimated threat start time |
|
Estimated threat end time |
|
Estimated observed time |
|
Half-life |
By default, set to Use default value. |
Ingested |
Date and time ingested. |
Supported observables#
The following table describes the observable types supported for this feed, and how they’re mapped from Bitdefender Hash JSON:
Observable type |
Maliciousness |
Maps from Bitdefender Hash JSON |
---|---|---|
File hash. See Map file hash types. |
High |
|
File hash. See Map file hash types. |
Unknown |
|
Country |
Safe |
|
Country Code |
Safe |
|
Map file hash types#
Value in Bitdefender Hash JSON |
Maps to EclecticIQ Observable type |
---|---|
md5 |
Hash-md5 |
sha1 |
Hash-sha1 |
sha256 |
Hash-sha256 |
sha512 |
Hash-sha512 |
crc32 |
Not a supported observable type. Set in indicator Analysis field. |