Incoming feed - Cisco Threat Grid Samples API


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Specifications

Transport type

Cisco Threat Grid Samples API

Content type

Cisco Threat Grid JSON

Ingested data

Data obtained from the analysis of submitted samples.
Samples can be files, file types, running processes, URLs, IP domains, hashes, and registry keys.

Processed data

Observables, where each observable represents an indicator of compromise (IOC).

Description

Retrieve and process information on compromised IP addresses, domains, hashes, registry keys, and network streams.

Requirements

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select Cisco Threat Grid Samples API.

  3. From the Content type drop-down menu, select Cisco Threat Grid JSON.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://panacea.threatgrid.com/api/v2/.

  5. In the API key, fill in the Cisco API key.

  6. The SSL verification checkbox is automatically selected.

  7. In the Path to SSL certificate file field, you can enter the path to your PEM file.
    It is also possible to leave the field blank.

  8. In the Confidence threshold field, fill in an integer.
    Define a minimum value to filter out and exclude from the feed any threats whose reliability level, that is, a score representing the trustworthiness of the information, is lower than the specified value.

    • Allowed range: 0-100

    • Default value: 80

  9. In the Severity threshold field, fill in an integer.
    Define a minimum value to filter out and exclude from the feed any threats whose severity level, that is, a score representing the potential risk they may pose, is lower than the specified value.

    • Allowed range: 0-100

    • Default value: 80

  10. In the Threat score threshold field, fill in an integer.
    Define a minimum value to filter out and exclude from the feed any threats ranking lower than the specified value.
    It represents a threat potential aggressiveness and maliciousness.

    • Allowed range: 0-100

    • Default value: 80

    Setting thresholds enables conditional execution.
    For example, if an entity in the feed holds a value exceeding the predefined threshold, it can trigger a process to execute a follow-up action.

  11. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    If you do not specify any start date, the default start date is 6 months in the past.
    This means that if you leave this field empty, the incoming feed will fetch data as old as 6 months until the present time.

  12. Select the Organization only checkbox to enable the enricher to check and display only submitted samples created by the organization the current user belongs to.
    That is, the organization needs to be the author of the submitted samples.
    When selected, this field is validated against the API key value granting access to the service.
    This checkbox is not preselected by default.

  13. The following options can be selected:

    • Select the Fetch IPs checkbox to include samples about compromised IP addresses.

    • Select the Fetch URLs checkbox to include samples about compromised URLs.

    • Select the Fetch domains checkbox to include samples about compromised domain names.

    • Select the Fetch artifacts checkbox to include samples about compromised artifacts; for example, file hash values.

    • Select the Fetch registry keys checkbox to include samples about compromised (Windows) registry key data.

    • Select the Fetch network streams checkbox to include samples about network stream information exchanged among compromised machines.

  14. To store your changes, click Save; to discard them, click Cancel.

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also