Blog

Generating Your Own Threat Intelligence Feeds in ThreatStream

Recently we launched a feature that allows you to create your own threat intelligence feeds in CSV, JSON and STIX format. They're super simple to setup...

David Greenwood

February 14, 2018

Table of contents

<p>Getting threat intelligence into your existing security products - SIEMs, endpoints, network tools -- can significantly enhance their effectiveness and longevity. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer.</p><p>Recently we launched a feature that allows you to create your own threat intelligence feeds in CSV, JSON and STIX format for consumption by other products. They're super simple to setup...</p><h2>Step one: Create a saved search</h2><p><img alt="" src="https://cdn.filestackcontent.com/gtBLerTiSRrKFspI92KQ" style="width: 600px; height: 310px;"/></p><p>Use ThreatStream's search functionality to define the type of indicators you want to include in your feed. I used the search:</p><p><code>(itype="mal_domain") and (status="active") and (confidence>=95)</code></p><p>Translated into English; only include malware domain indicators type that are currently reported as active with a very high confidence score of 95 assigned by ThreatStream.</p><p>Once the constraints meet the requirements for your feed, select "save as" to convert it into a saved search you can use across ThreatStream.</p><h2>Step two: Create a custom integration</h2><h2><img alt="" src="https://cdn.filestackcontent.com/RNYjKy7RrS20XlbzOwEO" style="width: 600px; height: 305px;"/></h2><p>In ThreatStream navigate to: Settings > Integrations > New Integration</p><p>The pop-up modal will allow you to configure the settings for your feed including:</p><ul><li>The search filter (set in step one)</li><li>The feed format (JSON, CSV or STIX)</li><li>The fields to be included in the feed (35 available to select)</li></ul><p>Once you hit save, ThreatStream will create a custom URL for your feed.</p><p><img alt="" src="https://cdn.filestackcontent.com/ROuz7HkrRDGTuKAwaF5c" style="width: 362px; height: 323px;"/></p><h2>Step three: Add your feed to your existing products</h2><p>You can now use the URL generated in step two as a feed source to any products that can ingest threat feeds in the configured format. </p><p>The feed is updated on a set schedule (every 4 hours in the example above). If you're asked for a polling interval make sure to set it equal to this schedule so you're not making more requests than necessary.</p><p><img alt="" src="https://cdn.filestackcontent.com/IAftxyHgTJ6b5FjnvE6J" style="width: 600px; height: 291px;"/></p><p>Here's an example using Splunk's Enterprise Security Threat Intel Download input. In the screenshot above, I've created an input for my ThreatStream CSV threat feed. Once active, the indicators will be consumed by Splunk ES and used for log enrichment within the app.</p><h2>My product does not support CSV, JSON or STIX inputs...</h2><p><a href="https://www.anomali.com/partners/integration-partners">There are currently 30+ native integrations supported by ThreatStream -- Splunk, QRadar, Arcsight, Carbon Black, Palo Alto Networks</a>. </p><p>Trying to do integrate with a product that's a little more niche? <a href="http://forum.anomali.com/c/feature-requests">Let us know on the Anomali forum</a>.</p>

Getting threat intelligence into your existing security products - SIEMs, endpoints, network tools -- can significantly enhance their effectiveness and longevity. Here at Anomali we understand the value of product integrations, so much so that my entire job is to manage the 30+ we currently offer.

Recently we launched a feature that allows you to create your own threat intelligence feeds in CSV, JSON and STIX format for consumption by other products. They're super simple to setup...

Step one: Create a saved search

Use ThreatStream's search functionality to define the type of indicators you want to include in your feed. I used the search:

(itype="mal_domain") and (status="active") and (confidence>=95)

Translated into English; only include malware domain indicators type that are currently reported as active with a very high confidence score of 95 assigned by ThreatStream.

Once the constraints meet the requirements for your feed, select "save as" to convert it into a saved search you can use across ThreatStream.

Step two: Create a custom integration

In ThreatStream navigate to: Settings > Integrations > New Integration

The pop-up modal will allow you to configure the settings for your feed including:

The search filter (set in step one)
The feed format (JSON, CSV or STIX)
The fields to be included in the feed (35 available to select)

Once you hit save, ThreatStream will create a custom URL for your feed.

Step three: Add your feed to your existing products

You can now use the URL generated in step two as a feed source to any products that can ingest threat feeds in the configured format.

The feed is updated on a set schedule (every 4 hours in the example above). If you're asked for a polling interval make sure to set it equal to this schedule so you're not making more requests than necessary.

Here's an example using Splunk's Enterprise Security Threat Intel Download input. In the screenshot above, I've created an input for my ThreatStream CSV threat feed. Once active, the indicators will be consumed by Splunk ES and used for log enrichment within the app.