Outgoing feeds reference
Reference section with lookup information on supported outgoing feed content types and transport types.
Available outgoing feeds
The overview lists and points to the articles on the available outgoing feeds. Each article describes how to configure the specific options for each outgoing feed.
Typically, outgoing feeds use different transport types and content types. General configuration options are identical across all outgoing feeds.
Title |
Excerpt |
Configure Amazon S3 push transport and content |
Set up and configure transport and content types for Amazon S3 push outgoing feeds to securely transfer data to selected Amazon S3 buckets. |
Configure email transport and content |
Set up and configure transport and content types for Send email outgoing feeds to publish selected platform data as email attachments. |
Configure FTP upload transport and content |
Set up and configure transport and content types for FTP upload outgoing feeds to publish selected platform data to an FTP server. |
Configure HTTP download transport and content |
Set up and configure transport and content types for HTTP download outgoing feeds to publish selected platform data to an HTTP server. |
Configure Mount point upload transport and content |
Set up and configure transport and content types for Mount point upload outgoing feeds to publish selected platform data to a specific location on a local or network unit. |
Configure SFTP upload transport and content |
Set up and configure transport and content types for SFTP upload outgoing feeds to publish selected platform data to a SFTP server. |
Configure Syslog push transport and content |
Set up and configure transport and content types for Syslog push outgoing feeds to publish selected platform data to a Syslog server. |
Configure TAXII inbox transport and content |
Set up and configure transport and content types for TAXII inbox outgoing feeds to publish selected platform data through the TAXII inbox service. |
Configure TAXII poll transport and content |
Set up and configure transport and content types for TAXII poll outgoing feeds to publish selected platform data through the TAXII poll service. |
Exchange data between platforms |
Configure TAXII feeds to enable data exchange between two platform instances. |
Content types
These are the data formats the platform can process through feeds.
Under Feed type in defines an input format that incoming feeds ingest; out defines an output format that outgoing feeds publish.
Content type |
Feed type |
Description |
Anubis Cyberfeed JSON |
in |
JSON format representing entity data as JSON objects. |
ArcSight CEF |
out |
The Common Event Format is a text-based standard for log records proposed by ArcSight. It enables sharing, consuming, and parsing event information across devices such as SIEM platforms and Syslog servers. |
Cisco Threat Grid Samples JSON |
in |
JSON format representing entity data as JSON objects. |
EclecticIQ Entities CSV |
out |
Comma separated CSV format for tabular data representation of entities. |
EclecticIQ Observables CSV |
out |
Comma separated CSV format for tabular data representation of observables. |
EclecticIQ HTML Report |
out |
Default HTML format to publish EclecticIQ intel reports. |
EclecticIQ HTML Report Digest |
out |
Default HTML format to publish EclecticIQ intel report digests. |
EclecticIQ JSON |
in, out |
JSON format representing entity data as JSON objects. |
Intel 471 |
in |
Intel 471 reports. Bundled observables are linked to the parent report entity. API endpoint: https://api.intel471.com/v1/reports/{} |
|
in, out |
Standard PDF format, preferably native (not scanned). |
STIX 1.0 |
in, out |
STIX data model v. 1.0. |
STIX 1.1 |
in, out |
STIX data model v. 1.1. |
STIX 1.1.1 |
in, out |
STIX data model v. 1.1.1. |
STIX 1.2 |
in, out |
STIX data model v. 1.2. |
Text/Plain text value |
in, out |
Plain text format. This content type enables entering free text and literals, wildcards (where supported), as well as JSON paths to point to specific entity property fields, and regex patterns to filter data. |
Threat Recon |
in |
Threat Recon JSON output returned by the Threat Recon API. Threat Recon focuses on providing information about indicators. |
STIX 1.1.1 |
in |
FireEye iSIGHT Intelligence Report API outputs reports in STIX 1.1.1 format. Reports concern threat topics such as vulnerabilities, malware, threat actors, strategies, tactics, and techniques. |
BFK Threat Intelligence JSON |
in |
BFK reports and NIDs (Network Intrusion Detections) are saved as JSON report entities; they concern threat topics such as threat actors, targeted victims, tactics, and techniques. |
Crowdstrike indicator JSON |
in |
Indicators retrieved from the Falcon Intelligence platform such as compromised devices, malicious domains, hashes, and so on starting from the specified polling date. |
CAPEC XML |
in, out |
Categorized and enumerated attack patterns, attack mechanisms, strategies, tactics and techniques retrieved from the CAPEC catalog. |
Crowdstrike report JSON |
in |
Reports retrieved from the Falcon Intelligence platform in JSON format and as PDF attachments. |
Crowdstrike actor JSON |
in |
Threat actor entities, related TTPs, indicators, and campaigns, as well as related observables to represent actor ID, target country, target industry, and targeted victim(s). |
CVE Search JSON |
in |
Exploit target entities retrieved from CIRCL CVE Search. The entity ID is derived from the CVE ID. API endpoint: https://cve.circl.lu/api/last. |
Intel 471 IOC Feed |
in |
Indicators of compromise such as IP addresses, malicious URLs, and MD5 and SHA-256 hashes. Intel 471 focuses on providing first-hand information related to threat actors and groups. API endpoint: https://api.intel471.com/v1/search/{}. |
OpenPhish Feed Text |
in |
Phishing URLs are saved as indicators. The signalled phishing activities are saved as TTPs related to the corresponding indicators. API endpoint: https://openphish.com/feed.txt. |
Proofpoint Message |
in |
Indicators and observables focusing on email threats such as phishing, spoofing, email malware, and impostor email/fraudulent messages API endpoint: https://api.emaildefense.proofpoint.com/v1. |
Transport types
These are the supported communications protocols the platform uses to publish data through outgoing feeds.
Transport type |
Feed type |
Description |
FTP upload |
out |
Custom feed to publish data through an FTP server. |
HTTP download |
out |
Custom feed to publish data through an HTTP server. By default, the outgoing feed content is available through the following platform API endpoints: /private/open-outgoing-feed-download/ for public outgoing feeds, and /private/outgoing-feed-download/ for private outgoing feeds. |
Mount point upload |
out |
Custom feed to publish data from a location on a local or network unit. |
Send email |
out |
Custom feed to publish data as email attachments. |
Syslog push |
out |
Custom feed to share data with other devices using the Syslog protocol. Usually, Syslog messages are centralized to a Syslog server. |
TAXII inbox |
out |
Custom feed using the TAXII inbox service to publish data. |
TAXII poll |
out |
Custom feed using the TAXII polling service to publish data. |
Amazon S3 push |
out |
Custom feed to publish data to the designated Amazon S3 bucket. |
SFTP upload |
out |
Custom feed to publish data through an SFTP server. |