Incoming feed - Digital Shadows Searchlight Private Incidents Provider


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Specifications

Transport types

Digital Shadows Searchlight Private Incidents Provider

Content type

Digital Shadows Incidents and Intelligence Threats JSON

Ingested data

Reports and records about private Incidents retrieved from the service exposed through the Digital Shadows Searchlight API.

Processed data

Reports, indicators, incidents, courses of action, exploit targets, and observables, based on the retrieved data.

Sets relationships, where applicable, between reports and indicators, indicators and courses of action, incidents and courses of action.

Description

Digital Shadows Searchlight enables proactive monitoring of the organization's assets and resources against malicious actors and activities that could target the organization.

Requirements

Digital Shadows Searchlight feeds are compatible with EclecticIQ Platform release 2.3.0 and later.
Users need an API key and an API secret to configure the Digital Shadows Searchlight API service.
If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.

Limitations

The extension relies on the Digital Shadows Searchlight API service. Therefore, it inherits any access limitations the API service enforces.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select Digital Shadows Searchlight Private Incidents Provider.

  3. From the Content type drop-down menu, select Digital Shadows Incidents and Intelligence Threats JSON.

  4. The API URL field is automatically populated with the default domain for the endpoint.
    You can add a proxy or set up specific communication, as needed.
    Default value: https://portal-digitalshadows.com

  5. In the API secret field, enter your In the top navigation bar click API secret.

  6. In the API key field, enter your In the top navigation bar click API key.

  7. To check the validity of the server-side SSL certificate when sending requests, select SSL verification..

  8. To validate a self-signed or a privately signed certificate, enter the full path to the CA bundle in Path to SSL certificate file.
    Allowed formats:

    • .ca-bundle

    • .pem

  9. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.

  10. To store your changes, click Save; to discard them, click Cancel.


By default, the incoming feed timeout value is set to 2 minutes.

Ingestion and processing

Ingested data

Resulting output

Report

Entities extracted from the ingested Digital Shadows Searchlight report:

  • Reports

  • Indicators

  • Incidents

  • Courses of action

  • Observables:

    • actor-id

    • asn

    • city

    • company

    • country

    • country-code

    • domain

    • email

    • file

    • geo-lat

    • geo-long

    • handle

    • hash-md5

    • hash-sha1

    • hash-sha256

    • host

    • ipv4

    • ipv6

    • organization

    • port

    • postcode

    • registrar

    • uri

    • winregistry

The Digital Shadows Searchlight Private Incidents Provider feed produces reports, incidents, and related courses of action when ingested reports mention:

  • Compromised or leaked credentials

  • Compromised or leaked documents

  • Compromised or leaked corporate information

  • Compromised or leaked customer information

  • Compromised or leaked personal information

  • Intellectual property abuse, misuse, or other potentially malicious actions

  • Defamation

  • Brand misuse

  • Employees that may act as potential threats

  • Companies that may act as potential threats

  • Technical weaknesses and vulnerabilities

  • Exposed ports

  • Domain certificate issues

  • Potentially unwanted or malicious mobile apps

  • Phishing attempts

  • Profile spoofing

  • CVEs that are relevant for the organization

The Intent field of ingested reports is set to Threat report.

Resulting reports, indicators, incidents, and courses of action are prepopulated with the following details:

  • Identity is set to Digital Shadows Searchlight Provider.

  • Roles is set to either Initial Author, or to Aggregator when the resulting entity aggregates information from multiple Digital Shadows source references.

  • The Estimated observed time of the resulting reports, incidents, and indicators is extracted and populated, when available.

  • Tags are extracted and automatically added to the resulting entities, when available.

Moreover, the following indicator fields are prepopulated with ingested and extracted data:

  • Types is set to Domain Watchlist for domain name indicators, and to IP Watchlist for IP address indicators.

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also