Threat Feeds

Threat Intelligence feed is a stream of data that poses potential risk or malicious activities to an organization's security. Resolution Intelligence Cloud supports threat feed feature that provides you information on attacks, including zero-day attacks, botnets, malware, and other security threats.

With threat feeds, you can create a list of curated threats related to malicious activity within an organization and push them to Chronicle to analyze and identify upcoming risk. Resolution Intelligence enables you to create a list curated threats which are helpful in implementing intelligence to a stream of security data. Examples of threat feeds include IP addresses, malicious domains/URLs, Phishing URLs, malware hashes and more.

Configuring a Threat feed

User Permissions

The creator from these categories such as Domain, Organization, and Tenant can create threat feeds.

To create a threat feed,

1. Navigate to Configurations --> Chronicle CMS at the left nav-bar.
2. Click Threat Feed icon.
3. On the Threat Feed listing page, click +Add Threat Feed at the top right corner
4. Enter Title, and Description (mandatory) for threat feed.
5. Check box left to the Enable Alerting.
   You will be notified of a signal generated in the signals home page whenever the IOC matches the defined criteria in the threat feed. By default, the IOC rules such as ip, domain, URL, and hash static will be copied to the new users while onboarding.
6. In Feed Source Type, select any one of the following.

• • Enter IOCs: Indicators of Compromise include IP addresses, Domains, and URLs.
  • Upload CSV: You can upload a CSV file to import multiple threat feeds from the file.
  • Configure URL: A URL that needs to be monitored recurrently.
  • API Integration: Allows you to transfer the data between two applications (Resolution Intelligence Cloud and KNOW platform).

Note: Based on your selection, the below fields will vary.

a). If you choose Enter IOCs: 

1. 1. In IOC Type, select any of the following.
      • Domain: includes domains that carry malicious threats.
      • IP Address: includes IP addresses that carry malicious threats.
      • URL: includes phishing URLs that carry malicious threats.
      • Hash: includes the encrypted format of the malicious threats.
   2. In IOC Values, enter a value. For example, threat.com.
   3. Score (Optional): Determines the score of each threat type.
   4. Severity (Optional): Select any of the following.
      • High
      • Medium
      • Low
   5. Category (Optional): Enter a category that a threat belongs to. For example, Phishing URL.
   6. In Whitelists field, add one or more IPs and domain URLs as well as to exclude the feeds that originate from whitelisted IPs.
   7. Click Save.
      Your threat feed will be saved as a draft in the listing page.

b). If you choose Upload CSV:

1. 1. Click Download Template. A template will be downloaded to your local folder. Enter values under IOC Type, IOC Value, Score, Severity, Category, and Feed Source columns.
   2. Under Upload CSV, click Attach and select a threat feed file from your local folder.
   3. In Whitelists field, add one or more IPs and domain URLs as well as to exclude the feeds that originate from whitelisted IPs.
   4. Click Save.
      Your threat feed will be saved as a draft in the listing page.

c). If you choose Configure URL:

1. 1. In URL field, enter a URL that you would like to ingest threats from.
   2. In Authentication Type, select any of the following from the dropdown.
      • No Authentication: No authentication credentials required.
      • Basic Auth: Enter User Name and Password.
      • Bearer Token: Enter a Secret token.
      • Access Service Token: Enter Header Key and Header value in the given fields. In Payload field, enter payload in the JSON format (Optional) to extract values.
   3. In Data Format, select IOC data in URL from the dropdown.

i). If you choose CSV:

a). In Feed Column Delimiter, select a delimiter to separate columns used in CSV file from the dropdown.

• • • , (Comma, Default)
    • ; (Semicolon)
    • : (Colon)

b). In Multi Value Delimiter in Feed Column, select a delimiter used in csv to separate multiple values in column from the dropdown.

• • • | (Pipe, Default)
    • ; (Semicolon)
    • : (Colon)

c). Click Load Columns.
The columns available in the CSV file will previewed.

d). Under Define Columns, select the data you want feed for existing columns.

e). Select any of the following options next to the columns from the dropdown menu.

• • • Ignore
    • Entity
    • Category
    • Score
    • Severity

f). Check box next to Extract Value. 
A dialog box appears.

g). Check box left to the any of the following options.

• • • Custom Search - Only Underscore and Space are allowed in string delimiter field to separate string content existing in the columns as tags.
    • Advanced Regex - Enter regex expression to search across a column in the CSV file that you specified. For example, {"category": "(?<=Domain used by )(.*)"}

h). Click Extract. 
The words in the selected index will be extracted and stored from the columns from each row of the CSVs.

ii). If you choose HTML Table:

a). Click Load Tables.
The existing tabular data will be shown.

b). Checkbox next to your desired table.

c). Click Load Columns. 
The existing columns will be shown.

d). Under Define Columns, select the data you want feed for existing columns for your selected table..

e). Select any of the following options next to the columns from the dropdown menu.

• • • Ignore
    • Entity
    • Category
    • Score
    • Severity

f). Check box next to Extract Value. 
A dialog box appears.

g). Check box left to the any of the following options.

• • • Custom Search - Only Underscore and Space are allowed in string delimiter field to separate string content existing in the columns as tags.
    • Advanced Regex - Enter regex expression to search across a column in the CSV file that you specified. For example, {"category": "(?<=Domain used by )(.*)"}

h). Click Extract. 
The words in the selected index will be extracted and stored from the columns from each row of the CSVs.

iii). If you choose JSON:

a). Under API Integration, select any one from the following options.

• • • cURL based: Enter the request method as POST, client Id, client secret, content type, and url from which you would prefer to pull the data.
      The sample request looks like:
      curl --request POST \
      --url https://know-to-cms.dummyops.net/post/data \
      --header 'CF-Access-Client-Id: 8293e74d66gggggjjjkkkdddddaaass.access' \
      --header 'CF-Access-Client-Secret: 3ffhhktkghk34465675878768586585883552423' \
      --header 'Content-Type: application/json' \
      --data '{
               "ioc_type":"ip",
               "historic_days":30
      }

• • • Form Based: Select the following options to pull the data (for example, IP) from URL.
      • In Request method field, select POST from the dropdown.
      • In URL field, enter an appropriate URL from which you prefer to pull data.
      • In Authentication Type, select Access Service Token from the dropdown menu.
      • In Header Key, enter client-id and in Header value, enter a respective value.
      • Click Add.
      • In Header Key, enter client-secret and in Header value, enter a respective value.
      • Click Add.
      • In Header Key, enter Content-type and in Header value, enter application/json.
      • In Payload, enter the JSON payload as specified below.
            {
            "ioc_type":"ip",
            "historic_days":30
        }

b).Click Load. 
The API data will be loaded.

c). Under Define Columns, select the data you want feed for existing columns for your selected table.

d). Select any of the following options next to the columns from the dropdown menu.

• • • Ignore
    • Entity
    • Category
    • Score
    • Severity

i). Click Extract. 
The words in the selected index will be extracted and stored from the columns.

4. In Score (Optional): Determines the score of each threat type.

5. In Severity (Optional): Select any option from the following.

• • High
  • Medium
  • Low

6. In Category (Optional): Enter a category that a threat belongs to. For example, Phishing URL.

7. Under Schedule, In Schedule Interval, select any of the following intervals to monitor threats from a URL.

• • Half-Hourly
  • Hourly
  • Two-Hourly
  • Three-Hourly
  • Six-Hourly
  • Twice - Daily
  • Daily
  • Weekly
  • Monthly

8. In Whitelists field, add one or more IPs and domain URLs in addition to exclude the feeds that originate from whitelisted IPs.

9. Click Done.

10. After you have fetched data, click Save.
Your threat feed will be saved as a draft in the listing page.

7. In the Threat Feed listing page, click Actions --> Send for Review
Your threat feed will sent to the Publisher for review.

Publishing a Threat Feed

User Permissions

The Publisher from these categories such as Domain, Organization, and Tenant can publish threat feeds.

To publish a threat feed,

1. Navigate to Configurations --> Chronicle CMS at the left nav-bar.
2. Click the Threat Feed icon.
3. In the Threat feed listing page, click on a threat feed which is Under Review State.
4. Verify the mandatory fields and click Actions in the top right corner of the screen.
   A drop-down list opens.
5. From the dropdown list,

• • Click Approve if the mandatory fields are appropriate.
    The threat feed will be moved to Reviewed state once it is approved. 
  • Before publishing a threat feed, ensure that you have selected list of organizations for which you want to publish your threat feed, if you are at Domain level otherwise it will be published to all organizations which comes under your domain likewise for tenants.
  • Click Reject, if the mandatory fields are not appropriate. The threat feed will be sent back to the Creator for changes and moved to the Draft state.

Note: Publisher can publish a threat feed at organization, and tenant level. For example, if the publisher publishes a threat feed at organization level, then the changes in threat feed will be sent to tenant level.

Editing a Threat Feed

User Permissions

The creator and publisher can update/edit a threat feed.

Note: Editing is applicable for published state only.

To edit/update a threat feed,

1. Navigate to Configurations --> Chronicle CMS from the left menu.
2. Click the Threat Feeds tile.
3. Click the threat feed or check the box next to the threat feed that you would like to edit.
4. Click Actions --> Update at the top right corner of the screen.
5. Edit your significant changes and click Send for review at the top right corner.
   The threat feed will be moved to the Under review state.

Finding Threat Feeds

The free text search filters the threat feeds by text in the threat feed title. There is no Search button.

Sorting Threat Feeds

The threat feed page lists all threat feeds (Published, Under Review, and Draft) in the listing page after creating or publishing them. You can sort the threat feeds based on the following list of options.

Item	Description
Last Modified On	Date and time of a last change done on a threat feed.
Title	Name of a threat feed you have given while creating it.
Most Used	Frequently used threat feed.
Created On	Date and Time when a threat feed is created first time.
Feed Source Type	A source from which a threat feed originates
Schedule Interval	Intervals include Half-hourly, Hourly, Two-Hourly, Three-Hourly,   Six-Hourly, Twice - Daily, Daily, Weekly, and Monthly.

To rearrange threat feeds in descending or ascending order, click or .