Incoming feed - RSS version 2.0


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Specifications

Transport type

RSS version 2.0

Content type

RSS HTML from link

Ingested data

Information made available through the RSS 2.0 web content syndication format.

Processed data

Most RSS feed URLs make available blog posts and articles that are stored to the platform as EclecticIQ HTML reports.
Keywords in the source page <meta name="keywords"> metadata section are added as tags to the reports they refer to.
Optionally, thumbnails and images are saved as attachments to the reports they refer to.

Description

Retrieve and ingest cyber threat information from feed sources that support the RSS 2.0 web content syndication format.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select RSS version 2.0.

  3. From the Content type drop-down menu, select RSS HTML from link.
    RSS 2.0 incoming feeds retrieve content by polling URL endpoints that make information available in RSS 2.0 format.
    The data provider is responsible for setting up their RSS feed channel, so that third-parties can poll it.

  4. In the RSS URL field, enter the URL that makes the RSS feed content available for retrieval.
    The feed polls this URL for updates, and to fetch content.
    Example: https://www.bleepingcomputer.com/feed/.

  5. In the Targeted element field, specify which element in the RSS feed XML structure contains the relevant content the feed should look for and fetch for further processing in the platform.
    It should correspond to the element that contains the information you want to save to the platform.
    Examples: article, description, div, p.

  6. In the Targeted element attributes (comma-separated) field, you can define one or more attributes to refine the filter for the incoming feed, if the element specified in Targeted element has attributes.
    Example: id=”main”, class=”main section”.
    If you specify an element in Targeted element, and one or more comma-separated attributes in Attributes of targeted element (comma separated), the incoming feed looks for and fetches only RSS content that matches both criteria.
    Example: Element: p. Attributes: id=”wannacry”, class=”ransomware”
    The incoming feed fetches content inside <p id="wannacry"></p> and <p class="ransomware"></p> elements.
    It does not fetch content inside <p></p> elements.

  7. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    By default, the max. amount of days in the past per each query/request is set to 30 days.

  8. Select the Feed uses feedburner checkbox to if the source RSS feed uses Feedburner.

  9. Select the Download thumbnails/images checkbox to to retrieve also thumbnails and images, which are saved as attachments to the resulting report they refer to.
    By default, the RSS version 2.0 feed timeout value is set to 02 minutes.

  10. To store your changes, click Save; to discard them, click Cancel.

See also