Incoming feed - Cisco Threat Grid Curated Feed


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.



Specifications

Transport type

Cisco Threat Grid Curated Feed

Content type

STIX 1.2

Ingested data

  • Banking Trojan network communications: (meta)data from communication involving Trojan-infected machines.
    Feed: banking-dns.

  • Data obtained from the analysis of samples leveraging DLL sideloading and/or hijacking techniques.
    Feed: dll-hijacking-dns.

  • Document (PDF, Office) network communications: (meta)data from communication involving infected document files.
    Feed: doc-net-com-dns.

  • Data obtained from the analysis of samples downloading executables over the network.
    Feed: downloaded-pe-dns.

  • Data obtained from the analysis of samples leveraging dynamic DNS providers.
    Feed: dynamic-dns.

  • Data obtained from Internet Relay Chat (IRC) network communications.
    Feed: irc-dns.

  • Information about modified Windows hosts files.
    Feed: modified-hosts-dns.

  • Information about parked domains resolving to RFC1918, localhost and broadcast addresses.
    Feed: parked-dns.

  • Check For Public IP Address Network Communications.
    Feed: public-ip-check-dns.

  • Data obtained from the analysis of samples communicating with ransomware servers.
    Feed: ransomware-dns.

  • Information about remote access Trojans (RAT), and any communications with their Command and Control systems.
    Feed: rat-dns.

  • DNS entries obtained from the analysis of samples communicating with known DNS sinkholes.
    Feed: sinkholed-ip-dns.

  • DNS entries observed in samples signed with a stolen certificate.
    Feed: stolen-cert-dns.

Processed data

Indicators with embedded observables, where each observable represents an indicator of compromise (IOC).

API endpoint

https://panacea.threatgrid.com/api/v3/

Description

Retrieve and process information on Trojan-infected machines and servers, on malware-infected DNS servers and web sites, on parked domains, DNS sinkholes, and stolen certificates.

Requirements

Users need an API key for their own configuration. Sign up and subscribe to the service to obtain the required API key credentials.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select Cisco Threat Grid Curated Feed.

  3. From the Content type drop-down menu, select STIX 1.2.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://panacea.threatgrid.com/api/v3/.

  5. In the API key field, enter the API key from Cisco.

  6. The SSL verification checkbox is automatically selected.

  7. In the Path to SSL certificate file field, you can enter the path to your PEM file.
    It is also possible to leave the field blank.

  8. From the Feed type drop-down menu, select the data source you want the incoming feed to retrieve data from.

  9. Click the Start ingesting from field, and use the drop-down calendar to select an initial date and, where available, an initial time to fetch content from the intelligence provider/data source starting from a specific date in the past.
    If you do not specify any start date, the default start date is 6 months in the past.
    This means that if you leave this field empty, the incoming feed will fetch data as old as 6 months until the present time.

  10. To store your changes, click Save; to discard them, click Cancel.

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also