Incoming feed - Bitdefender Advanced Threat Intelligence IP Feed

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

Bitdefender Advanced Threat Intelligence IP Feed

Content type

Bitdefender IP JSON

Ingested data

Ingests IP Watchlist and C2 indicators from these feeds:

  • APT-IPs-jsonl-feed (IP Watchlist)

  • CNC-IPs-jsonl-feed (C2)

Endpoint(s)

https://feeds.ti.bitdefender.com/

Processed data

See Data mapping.

Requirements

  • Bitdefender Advanced Threat Intelligence JWT token

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Bitdefender Advanced Threat Intelligence IP Feed from the drop-down menu.

    Content type*

    Select Bitdefender IP JSON from the drop-down menu.

    URL*

    By default, this is set to https://feeds.ti.bitdefender.com/.

    JWT Token*

    Set this to your Bitdefender Advanced Threat Intelligence JWT token.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    For more information, see SSL certificates.

    Start ingesting from

    Not available for this transport type.

    The Bitdefender Advanced Threat Intelligence IP Feed always downloads the latest available data from the last 30 days.

  3. Store your changes by selecting Save.

Execution schedule

Bitdefender Advanced Threat Intelligence updates their feeds once each day at 0900 GMT+0.

For best results, either:

  • Set your execution schedule to match this, or

  • Set your execution schedule to None to only run the feed manually.

SSL certificates

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.

Data mapping

Map indicators

This table shows how each record from the Bitdefender Advanced Threat Intelligence IP Feed is mapped to Indicator on the platform:

Indicator field name

Mapped from Bitdefender IP JSON

Example value

Description

Title

  • response[].ioc

127.0.0.1

Indicator from feed source.

Analysis

  • response[].threat_name

  • response[].threat_family

Threat name: phishing-unknown Threat family: phishing

Contains information about threats associated with the IP address.

Types

  • N/A

  • IP Watchlist

  • C2

Indicators from this feed are always ingested as IP Watchlist indicators.

Indicators ingested from the CNC-IPs-jsonl-feed have an additional C2 type.

Confidence

  • N/A

Unknown

Indicators from this feed are always ingested with Confidence set to Unknown.

Likely Impact

  • N/A

Unknown

Indicators from this feed are always ingested with Likely Impact set to Unknown.

Estimated time

  • Various

Various

See Map indicator timestamps.

Tags

  • response[].threats[].industries

  • response[].threat_family

  • response[].tags[]

Threat family name

Indicators are tagged with values found in these fields from Bitdefender IP JSON.

Map indicator timestamps

The following table describes how Bitdefender Advanced Threat Intelligence Indicator timestamps are mapped to Indicator timestamps on the platform.

Indicator estimated time field

CrowdStrike JSON field

Estimated threat start time

response[].threats[].first_seen

Estimated threat end time

response[].threats[].expire_at

Estimated observed time

response[].threats[].first_seen

Half-life

By default, set to Use default value.

Ingested

Date and time ingested.

Supported observables

The following table describes the observable types supported for this feed, and how they’re mapped from Bitdefender IP JSON:

Observable type

Maliciousness

Maps from Bitdefender IP JSON

IPv4

High

  • response[].ioc

IPv4

Unknown

  • response[].threats[].ip[]

Country

Safe

  • response[].regions

Country Code

Safe

  • response[].regions