Incoming feed - VMRay Malware Submission Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

VMRay Malware Submission Feed

Content type

VMRay JSON

Ingested data

This extension uses the VMRay Platform REST API to ingest malware submissions as indicators and TTPs from your VMRay instance.

Processed data

Submissions are ingested as TTP entities on the platform, and malware samples are ingested as indicators.

Requirements#

  • VMRay API key

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select VMRay Malware Submission Feed from the drop-down menu.

    Content type*

    Select VMRay JSON from the drop-down menu.

    API URL*

    Set this to the REST API endpoint for your VMRay instance.

    By default, this is set to the REST API endpoint for VMRay cloud services: https://cloud.vmray.com/rest/

    API key*

    Set this to your VMRay API key.

    Ingest submissions with verdict = Not Suspicious

    Select to include submissions with severity value of not_suspicious when ingesting the feed. By default, the extension only ingests submissions with these severity values: malicious, suspicious, and blacklisted.

    Ingest submissions with verdict = Unknown

    Select to include submissions with severity value of unknown when ingesting the feed. By default, the extension only ingests submissions with these severity values: malicious, suspicious, and blacklisted.

    Process malware artifacts with verdict = Suspicious

    Select to include samples with severity value of suspicious when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.

    Process malware artifacts with verdict = Not Suspicious

    Select to include samples with severity value of not_suspicious when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.

    Process malware artifacts with verdict = Unknown

    Select to include samples with severity value of unknown when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.