Threat Feeds – Netenrich

In this article:

Threat Intelligence feed is a stream of data that poses potential risk or malicious activities to an organization's security. Resolution Intelligence Cloud supports threat feed feature that provides you information on attacks, including zero-day attacks, botnets, malware, and other security threats.

With threat feeds, you can create a list of curated threats related to malicious activity within an organization and push them to Chronicle to analyze and identify upcoming risk. Resolution Intelligence enables you to create a list curated threats which are helpful in implementing intelligence to a stream of security data.

Examples of threat feeds include IP addresses, malicious domains/URLs, Phishing URLs, malware hashes and more.

Configuring a Threat feed

User Permissions

A Creator from these categories such as Domain, Organization, and Tenant can create threat feeds.

To create a threat feed,

Navigate to Configurations --> Chronicle CMS at the left nav-bar.
Click Threat Feed icon.
On the Threat Feed listing page, click +Add Threat Feed at the top right corner
Enter Title, and Description (mandatory) for threat feed.
In Feed Source Type, select any one of the following.

- Enter IOCs: Indicators of Compromise include IP adresses, Domains, and URLs
- Upload CSV: You can upload a CSV file to import multiple threat feeds from file
- Configure URL: A URL that needs to be monitored recurrently

Note: Based on your selection, below fields will vary.

Recommendations	Actions
If you choose Enter IOCs	In IOC Type, select any of the following. Domain: includes domains that carry malicious threats IP Address: includes IP addresses that carry malicious threats URL: includes phishing URLs that carry malicious threats In IOC Values, enter a value. For example, threat.com Score (Optional): Determines the score of each threat type Severity (Optional): Select any of the following High Medium Low Category (Optional): Enter a category that a threat belongs to. For example, Phishing URL In Whitelists field, add one or more IPs and domain URLs as well as to exclude the feeds that originate from whitelisted IPs. Click Save at the top. Your threat feed will be saved as a draft in the listing page.
If you choose Upload CSV	Click Download Template. A template will be downloaded to your local folder. Enter values under IOC Type, IOC Value, Score, Severity, Category, and Feed Source columns. Under Upload CSV, click Attach and select a threat feed file from your local folder. In Whitelists field, add one or more IPs and domain URLs as well as to exclude the feeds that originate from whitelisted IPs. Click Save at the top. Your threat feed will be saved as a draft in the listing page.
If you choose Configure URL	In URL field, enter a URL that you would like to ingest threats from. In Authentication Type, select any of the following from the dropdown. No Authentication: No authentication credentials required Basic Auth: Enter User Name and Password. Bearer Token: Enter a Secret token Check box next to Schedule (Optional): You can monitor threats from a URL based on the different intervals In Schedule Interval, select any of the following. Half-Hourly Hourly Two-Hourly Three-Hourly Six-Hourly Twice - Daily Daily Weekly Monthly In Feed Data Format, select IOC data in URL from the dropdown. CSV HTML Table In Feed Columns, select which columns data to be loaded from CSV or HTML table In Header is Present, select any option from the dropdown True: If CSV or HTML table consists of header False: If CSV or HTML table does not consist of a header Score (Optional): Determines the score of each threat type Severity (Optional): Select any of the following High Medium Low Category (Optional): Enter a category that a threat belongs to. For example, Phishing URL Column Regex Search (Optional): Enter regex expression to search across a column in the table that you specified. For example, {"category": "(?<=Domain used by )(.)"} In Whitelists* field, add one or more IPs and domain URLs as well as to exclude the feeds that originate from whitelisted IPs Click Fetch Data After you have fetched data, click Save at the top. Your threat feed will be saved as a draft in the listing page.	If you choose CSV: In Feed Column Delimiter, select a delimiter to separate columns used in CSV file from the dropdown , (Comma, Default) ; (Semicolon) : (Colon) In Multi Value Delimiter in Feed Column, select a delimiter used in csv to separate multiple values in column from the dropdown \| (Pipe, Default) ; (Semicolon) : (Colon) If you choose HTML Table: In Table Attribute Name, enter the name of a table, when there are multiple tables available in a URL In Table Attribute Value, enter a value specific to the table you are interested In Table Index, enter an index value of a table that you are interested. Note: You can find Table attribute name, value, and index by inspecting webpage of your URL

6. In Threat Feed listing page, click Actions --> Send for Review
Your threat feed will sent to be reviewed by Publisher

Publishing a Threat Feed

User Permissions

A Publisher from these categories such as Domain, Organization, and Tenant can publish threat feeds.

To publish a threat feed,

Navigate to Configurations --> Chronicle CMS at the left nav-bar.
Click the Threat Feed icon.
In the Threat feed listing page, click on a threat feed which is Under Review State.
Verify the mandatory fields and click Actions in the top right corner of the screen.
A drop-down list appear
From the dropdown list,

- Click Approve if the mandatory fields are appropriate. The threat feed will be moved to Reviewed state once it is approved.
- Before publishing a threat feed, ensure that you have selected list of organizations for which you want to publish your threat feed, if you are at Domain level otherwise it will be published to all organizations which comes under your domain likewise for tenants.
- Click Reject, if the mandatory fields are not appropriate. The threat feed will be sent back to the Creator for changes and moved to the Draft state.

Note: Publisher can publish a threat feed at organization, and tenant level. For example, if the publisher publishes a threat feed at organization level, then the changes in threat feed will be sent to tenant level.

Finding Threat Feeds

The free text search filters the threat feeds by text in the threat feed title. There is no Search button.

Sorting Threat Feeds

The threat feed page lists all threat feeds (Published, Under Review, and Draft) in the listing page after creating or publishing them. You can sort the threat feeds based on the following list of options.

Item	Description
Last Modified On	Date and Time of last change to a threat feed
Title	Title of a threat feed that you have given while creating
Name	Name of a threat feed that is generated automatically after creating it
Most Used	Frequently used threat feed
Created On	Date and Time when a threat feed is created first time
Feed Source Type	A type of a source that your threat feed originated from
Schedule Interval	Intervals include Half-hourly, Hourly, Two-Hourly, Three-Hourly, Six-Hourly, Twice - Daily, Daily, Weekly, and Monthly

To rearrange threat feeds in descending or ascending order, click or .

Configuring a Threat feed

User Permissions

Publishing a Threat Feed

User Permissions

Finding Threat Feeds

Sorting Threat Feeds

Related articles