Define a threat source

A key to defending your organization from cyber-threats is in categorizing the sources of those threats. As threats and vulnerabilities continue to evolve, well-defined threat sources allow you to direct your detection efforts in a controlled way.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > Sources > Threat Sources.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Name The name of the source of threat.
    Application The application that contains this record.
    Active Select this check box to activate the threat source.
    Advanced Select this check box to display the scripts in the Integration factory script and Report processor fields.
    Description A description of this threat source.
  4. Fill in the fields in the Schedule section, as appropriate.
    Field Description
    Run The frequency you want the integration to run, Daily, Weekly, Periodically, etc. As noted below, subsequent fields are displayed or not based on your setting in this field.
    Day The day you want the integration to run.
    • If you selected Weekly in the Run field, this field displays the days of the week.
    • If you selected Monthly in the Run field, this field displays the days of the month.
    Time The time you want the integration to start.
    Repeat Interval If you selected Periodically in the Run field, this field displays the number of days and hours before the integration runs again.
    Starting If you selected Periodically in the Run field, this field displays the dates and time to be used as the starting point for periodic updates.
    Conditional Select this if you want to add conditional parameters.
    Condition If you selected the Conditional check box, enter the conditions here.
  5. Fill in the fields in the Threat Details section, as appropriate.
    Field Description
    Indicator The indicator to use if the data does not explicitly provide one. For blocklists, if empty, a new indicator will be created for each observable.
    Indicator type The indicator type to use for indicators that are created and the data does not explicitly provide an indicator type.
    Attack Mode/Method The attack mode/method to use if the data does not explicitly provide one.
    Observable Type The observable type to use for observables that are created and the data does not explicitly provide an observable type.[SI1]
    Weight Enter a weight value for this source to be used in the confidence calculation.
    Note: The usage of the Indicator, Indicator Type, Attack Mode/Method, and Observable Type fields is implementation specific. The default processor, SimpleBlocklistProcessor, will behave as the hover text hints describe; however, a TAXII threat source will be fully data driven. Any custom threat source processor would be able to use its own strategy. These fields are basically just items to expose to the integration/processor and the implementation decides how to use them.
  6. Fill in the fields in the Source Details section, as appropriate.
    Field Description
    Endpoint Enter the web service endpoint URL where the threat source can be accessed by Threat Intelligence. Click the lock icon to lock the URL.
    Use REST Message If you require a REST message to access the threat source, select this check box. The REST message and REST method fields become mandatory.
    REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message.
    REST method Click the lookup icon, and select the REST method from the list or click New to define a new REST method.
    Integration script The default integration script is SimpleRESTSecurityDataIntegration. It runs a simple REST call, saves the response as an attachment, and then returns the attachment to the processor. This script should meet the needs of most organizations. But if you wish, you can click the lookup icon, and select a different integration script or define a new one.
    Integration factory script If the Advanced check box is selected, this field displays the actual script for constructing the integration script. You can edit the script as needed. This is generally useful for custom implementations. Integrations in the base system usually not need any custom constructor logic.
    Report processor The default integration script is SimpleBlocklistProcessor. This is a simple processor that accepts a simple blocklist (simple, meaning a single column document with observables such as URLs or IP addresses) and creates observables. It uses the various Threat Details fields to determine which fields to set when observables are created.
    Processor factory script If the Advanced check box is selected, this field displays the actual for constructing the processor. You can edit the script as needed. This is generally useful for custom implementations. The integrations in the base system usually do not need custom constructor logic.
  7. Click Submit.