Incoming feed - Digital Shadows Searchlight Global Incidents Provider#
Note
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Specifications |
|
---|---|
Transport types |
Digital Shadows Searchlight Global Incidents Provider |
Content type |
Digital Shadows Incidents and Intelligence Threats JSON |
Ingested data |
Reports and records about global Incidents retrieved from the service exposed through the Digital Shadows Searchlight API. |
Processed data |
Reports and courses of action, based on retrieved data. Sets relationships, where applicable, between reports and courses of action. |
Description |
Digital Shadows Searchlight enables proactive monitoring of the organization’s assets and resources against malicious actors and activities that could target the organization. |
Prerequisites#
Digital Shadows Searchlight feeds are compatible with EclecticIQ Platform release 2.3.0 and later.
Users need an API key and an API secret to configure the Digital Shadows Searchlight API service.
If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.
Limitations#
The extension relies on the Digital Shadows Searchlight API service. Therefore, it inherits any access limitations the API service enforces.
Configure the incoming feed#
Create or edit an incoming feed.
From the Transport type drop-down menu, select Digital Shadows Searchlight Private Incidents Provider.
From the Content type drop-down menu, select Digital Shadows Incidents and Intelligence Threats JSON.
The API URL field is automatically populated with the default domain for the endpoint.
You can add a proxy or set up specific communication, as needed.
Default value:https://portal-digitalshadows.com
In the API secret field, enter your In the top navigation bar click API secret.
In the API key field, enter your In the top navigation bar click API key.
To check the validity of the server-side SSL certificate when sending requests, select SSL verification.
To validate a self-signed or a privately signed certificate, enter the full path to the CA bundle in Path to SSL certificate file.
Allowed formats:.ca-bundle
.pem
Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
To store your changes, click Save; to discard them, click Cancel.
Note
By default, the incoming feed timeout value is set to 2 minutes.
Ingestion and processing#
Ingested data |
Resulting output |
---|---|
Report |
Entities extracted from the ingested Digital Shadows Searchlight report:
|
The Digital Shadows Searchlight Private Incidents Provider feed produces reports and courses of action when ingested reports mention:
Compromised or leaked credentials
Compromised or leaked documents
Compromised or leaked corporate information
Compromised or leaked customer information
Compromised or leaked personal information
Intellectual property abuse, misuse, or other potentially malicious actions
Defamation
Brand misuse
Employees that may act as potential threats
Companies that may act as potential threats
Technical weaknesses and vulnerabilities
Exposed ports
Domain certificate issues
Potentially unwanted or malicious mobile apps
Phishing attempts
Profile spoofing
CVEs that are relevant for the organization
The Intent field of ingested reports is set to Threat report.
Resulting reports and courses of action are prepopulated with the following details:
Identity is set to Digital Shadows Searchlight Provider.
Roles is set to either Initial Author, or to Aggregator when the resulting entities aggregate information from multiple Digital Shadows source references.
The Estimated observed time of the resulting reports is extracted and populated, when available.
Tags are extracted and automatically added to the resulting entities, when available.
Test the feed#
In the top navigation bar, click Data Configuration > Incoming feeds.
Click the feed that you just created, using the steps above.
In the Overview view, click Download now.
Click Ingested entities and check that entities have been ingested into the platform.
Or:
In the top navigation bar, click Intelligence > All intelligence > Browse.
Click the Entities tab.
From the Source drop-down menu, select the incoming feed you have just created, using the steps.
You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.