This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.
Digital Shadows Searchlight Private Incidents Provider
Digital Shadows Incidents and Intelligence Threats JSON
Reports and records about private Incidents retrieved from the service exposed through the Digital Shadows Searchlight API.
Reports, indicators, incidents, courses of action, exploit targets, and observables, based on the retrieved data.
Sets relationships, where applicable, between reports and indicators, indicators and courses of action, incidents and courses of action.
Digital Shadows Searchlight enables proactive monitoring of the organization's assets and resources against malicious actors and activities that could target the organization.
Digital Shadows Searchlight feeds are compatible with EclecticIQ Platform release 2.3.0 and later.
Users need an API key and an API secret to configure the Digital Shadows Searchlight API service.
If necessary, contact the intelligence provider to subscribe to the service and to obtain this information, along with any required authentication and authorization credentials.
The extension relies on the Digital Shadows Searchlight API service. Therefore, it inherits any access limitations the API service enforces.
Configure the incoming feed
Create or edit an incoming feed.
From the Transport type drop-down menu, select Digital Shadows Searchlight Private Incidents Provider.
From the Content type drop-down menu, select Digital Shadows Incidents and Intelligence Threats JSON.
The API URL field is automatically populated with the default domain for the endpoint.
You can add a proxy or set up specific communication, as needed.
Default value: https://portal-digitalshadows.com
In the API secret field, enter your In the top navigation bar click API secret.
In the API key field, enter your In the top navigation bar click API key.
To check the validity of the server-side SSL certificate when sending requests, select SSL verification..
To validate a self-signed or a privately signed certificate, enter the full path to the CA bundle in Path to SSL certificate file.
Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
To store your changes, click Save; to discard them, click Cancel.
By default, the incoming feed timeout value is set to 2 minutes.
Ingestion and processing
Entities extracted from the ingested Digital Shadows Searchlight report:
The Digital Shadows Searchlight Private Incidents Provider feed produces reports, incidents, and related courses of action when ingested reports mention:
Compromised or leaked credentials
Compromised or leaked documents
Compromised or leaked corporate information
Compromised or leaked customer information
Compromised or leaked personal information
Intellectual property abuse, misuse, or other potentially malicious actions
Employees that may act as potential threats
Companies that may act as potential threats
Technical weaknesses and vulnerabilities
Domain certificate issues
Potentially unwanted or malicious mobile apps
CVEs that are relevant for the organization
The Intent field of ingested reports is set to Threat report.
Resulting reports, indicators, incidents, and courses of action are prepopulated with the following details:
Identity is set to Digital Shadows Searchlight Provider.
Roles is set to either Initial Author, or to Aggregator when the resulting entity aggregates information from multiple Digital Shadows source references.
The Estimated observed time of the resulting reports, incidents, and indicators is extracted and populated, when available.
Tags are extracted and automatically added to the resulting entities, when available.
Moreover, the following indicator fields are prepopulated with ingested and extracted data:
Types is set to Domain Watchlist for domain name indicators, and to IP Watchlist for IP address indicators.
Test the feed
In the top navigation bar, click Data Configuration > Incoming feeds.
Click the feed that you just created, using the steps above.
In the Overview view, click Download now.
Click Ingested entities and check that entities have been ingested into the platform.
In the top navigation bar, click Intelligence > All intelligence > Browse.
Click the Entities tab.
In the top-left corner, click .
From the Source drop-down menu, select the incoming feed you have just created, using the steps.
You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.