Fetch Sources from a URL

Configure a URL source if you want threat intelligence director to fetch files from a host.

If you encounter an issue during TID configuration or operation, see Troubleshoot Threat Intelligence Director

Procedure

Step 1

Make sure your source meets the requirements in Source Requirements

Step 2

Choose Integration > Intelligence > Sources.

Step 3

Click Add (add icon).

Step 4

Choose URL as the Delivery method for the source.

Step 5

Complete the form.

  • If you are ingesting a flat file, choose a Type that describes the data contained within the source.

  • If the host server requires an encrypted connection, configure the SSL Settings as described in Configure TLS/SSL Settings for a Threat Intelligence Director Source.

  • For Name: To simplify sorting and handling of incidents based on threat intelligence director indicators, use a consistent naming scheme across sources. For example, <source>-<type>.

    Including the source name simplifies returning to the source for further information or feedback.

    Be sure to enter the name consistently. For example, for a source with IPv4 addresses, you might always use IPV4 (not IPv4 or ipv4 or IP_v4 or IP_V4 or ip-v4 or IP-v4, IP-V4, etc.)

  • If you are ingesting a STIX file, Block is not an Action option, as STIX data can contain complex indicators, which the system cannot block. Devices (elements) store and take action based on single observables; they cannot take action based on multiple observables.

    However, after ingestion, you can block individual observables and simple indicators obtained from the source. For more information, see Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level.

  • Set an update frequency that makes sense for how often the data source is updated. For example, if the source is updated 3 times per day, set your update interval to 1440/3 or 480 minutes to regularly capture the latest data.

  • After the number of days you specify for the TTL interval, threat intelligence director deletes:

    • all of the source's indicators that are not included in subsequent source updates.

    • all observables not referenced by a surviving indicator.

    Note

    If the source contains no updates for the number of days specified for TTL and the source checksum remains unchanged, downloads are treated as feeds with no updates. For observables to receive a new TTL value, the source must contain a few updates.

Step 6

If you want to immediately begin publishing to elements, confirm that the Publish Slider (slider icon) is enabled.

When this option is enabled, the system automatically publishes the initial source data and any subsequent changes.

For details, see Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level.

Step 7

Click Save.

What to do next

  • To view ingestion status, refresh the Sources page. If you see an error, hover over status for details.

  • If you are doing initial threat intelligence director configuration, return to How To Set Up Threat Intelligence Director.