Incoming feed - VMRay Malware Submission Feed
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
Specifications |
Transport type |
VMRay Malware Submission Feed |
Content type |
VMRay JSON |
Ingested data |
This extension uses the VMRay Platform REST API to ingest malware submissions as indicators and TTPs from your VMRay instance. |
Processed data |
Submissions are ingested as TTP entities on the platform, and malware samples are ingested as indicators. |
Requirements
VMRay API key
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select VMRay Malware Submission Feed from the drop-down menu.
Content type*
Select VMRay JSON from the drop-down menu.
API URL*
Set this to the REST API endpoint for your VMRay instance.
By default, this is set to the REST API endpoint for VMRay cloud services: https://cloud.vmray.com/rest/
API key*
Set this to your VMRay API key.
Ingest submissions with verdict = Not Suspicious
Select to include submissions with severity value of not_suspicious when ingesting the feed. By default, the extension only ingests submissions with these severity values: malicious, suspicious, and blacklisted.
Ingest submissions with verdict = Unknown
Select to include submissions with severity value of unknown when ingesting the feed. By default, the extension only ingests submissions with these severity values: malicious, suspicious, and blacklisted.
Process malware artifacts with verdict = Suspicious
Select to include samples with severity value of suspicious when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.
Process malware artifacts with verdict = Not Suspicious
Select to include samples with severity value of not_suspicious when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.
Process malware artifacts with verdict = Unknown
Select to include samples with severity value of unknown when ingesting feed. By default, extension only ingests samples with severity values: malicious, and blacklisted.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Store your changes by selecting Save.