Incoming feed - Cofense PhishMe Intelligence


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.

Specifications

Transport type

Cofense PhishMe Intelligence API

Content type

STIX 1.1.1

Ingested data

Cofense PhishMe Intelligence reports published since a specific start date.

Processed data

STIX reports focusing on malware and phishing campaigns.

Description

Retrieve and process Cofense PhishMe Intelligence reports on malware and phishing campaigns.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select Cofense PhishMe Intelligence API.

  3. From the Content type drop-down menu, select STIX 1.1.1.
    The Cofense PhishMe Intelligence API transport type supports only the STIX 1.1.1 content type.
    The organization providing the source data for the incoming feed is Cofense.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://www.threathq.com/.

  5. In the Username field, enter a valid user name to authenticate and to be granted authorization to access the intelligence data source and to download/ingest their data.

  6. In the Password field, enter a valid password to authenticate and to be granted authorization to access the intelligence data source and to download/ingest their data.

  7. The SSL verification checkbox is automatically selected.

  8. In the Path to SSL certificate file field, you can enter the path to your PEM file.
    It is also possible to leave the field blank.

  9. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    Default value: 365 days in the past from the current time (now).

  10. To store your changes, click Save; to discard them, click Cancel.

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also