Incoming feed - OpenPhish


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Specifications

Transport type

OpenPhish Feed

Content type

OpenPhish Feed Text

Ingested data

Ingests the freely available OpenPhish Community feed, a list of phishing and compromised URLs.

Processed data

URLs are saved as indicators.
The signalled phishing activities are saved as TTPs related to the corresponding indicators.

Description

Ingest information about phishing sites and compromised URLs.

Configure the incoming feed

  1. Create and edit an incoming feed.

  2. From the Transport type drop-down menu, select OpenPhish Feed.

  3. From the Content type drop-down menu, select OpenPhish Feed Text.
    The OpenPhish Feed transport type supports only the OpenPhish Feed Text content type.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://openphish.com/feed.txt.

  5. To store your changes, click Save; to discard them, click Cancel.

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also