Enricher - Cyfirma Threat IOC Search Enricher#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Specification

Enricher name

Cyfirma Threat IOC Search Enricher

Supported observable types

  • domain

  • email

  • hash-md5

  • hash-sha1

  • hash-sha256

  • host

  • ipv4

  • uri

Output

Looks up supported observable types to retrieve STIX 2.1 objects from the Cyfirma API and ingest them as EIQ entities.

API endpoint

Default: https://decyfir.cyfirma.com/

Requirements#

  • Cyfirma API key

Configure the enricher#

Note

Required fields are marked with an asterisk (*).

  1. Edit the enricher.

  2. Set the Source reliability for this enricher. All objects produced by this enricher inherits this source reliability.

  3. In the Parameters section, set the following fields:

    Field name

    Description

    API URL*

    Default: https://decyfir.cyfirma.com/

    API key*

    Enter your Cyfirma API key.

    SSL verification

    Select to enforce SSL verification.

    Path to SSL certificate file

    Enter the path to a SSL certificate file located on the EclecticIQ Intelligence Center host filesystem.

    To use an SSL certificate, it must be:

    • Accessible on the EclecticIQ Intelligence Center host.

    • Placed in a location that can be accessed by the eclecticiq user.

    • Owned by eclecticiq:eclecticiq.

    To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

    1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

    2. On the EclecticIQ Intelligence Center host, open the terminal.

    3. Change ownership of the SSL certificate by running as root in the terminal:

      chown eclecticiq:eclecticiq /path/to/cert.pem

      Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

  4. Select Save to save your changes.