Overview
This document is intended for the technical audience building an integration with the ThreatConnect Platform. This document is most applicable to partners building a Threat Intelligence Feed integration and provides specific instructions for how to implement the Feed Deployer functionality.
The Feed Deployer has three main functions:
Configuring and creating a feed (source) inside the ThreatConnect Platform that will contain all of the threat intelligence data from the integration
Configuring and creating the default ThreatConnect job that will run the integration
Create any custom attributes that the integration needs
Follow the steps in this document in the order provided in order to implement this configuration within your integration.
If the application is being deployed for the first time, it is recommended to not include the feed deployer configuration.
Feeds Configuration
Add a new section to the install.json to account for the feed provided (this block goes within the root node):
"feeds": [
{
"attributesFile": "attributes.json",
"documentStorageLimitMb": <default value>,
"enableBulkJson": true,
"indicatorLimit": 2000000,
"jobFile": "<name>-intel-job.json",
"sourceCategory": "Premium",
"sourceDescription": "<brief description>",
"sourceName": "<feed name>"
}
],
Make the appropriate substitutions above as noted below:
<default value> should be replaced with the default document storage limit you would expect for your source. If you provide no documents, 10 is a safe default value. Otherwise, you must determine an appropriate value for the information you provide.
<name> should be replaced with a lowercase name of your company and/or product name. This filename will be used in later steps and will be distributed with your package.
<brief description> should be a 2-3 sentence brief description of the data provided in your feed.
<feed name> should be the name of your feed product as it will appear in the ThreatConnect interface.
“attributesFile” and the value are only required if you require custom attributes for your data.
See this documentation for more details on each of these parameters within this section.
Feed Deployer Parameters
Within your install.json file, update each parameter you have with the parameter “feedDeployer” and a value of true for each parameter that should appear within the Feed Deployer wizard screen. An example parameter is provided below:
"params": [
{
"label": "Feed Type",
"name": "feed_type",
"note": "The type of feed you want to ingest into your ThreatConnect platform.",
"required": true,
"type": "MultiChoice",
"feedDeployer": true,
"validValues": [
"C2Addresses",
"C2Hosts",
"Files"
]
},
Do not mark the parameter tc_owner as true for Feed Deployer as you will be hard-coding this value in several places.
Ensure that the feedDeployer value above is set to true in your configuration for each parameter that must be displayed.
Input parameters that you’ve defined for use primarily by your application logic (such as the last_run parameter) should not be displayed in Feed Deployer.
Default Job Configuration
Create a default job profile for your feed using ThreatConnect PartnerStage. Once your app has been installed for testing, manually create a job with all of the parameters that you expect to be provided. Export this job as an example template. Name this file the same as the name you specified for jobFile for your feeds block within install.json. Place the new file alongside your install.json file.
Within the example you created, update the value of the owner parameter with the same name of your feed as defined in the sourceName field for your feeds block within install.json. Add the parameter “preventUpdates” and a value of true.
You will need to remove all of the default values from this file for any string inputs unless you intend for these to go directly to customers as defaults. Things like API keys and last_run timestamps should be removed.
Do not manually edit the scheduleCronFormat field in this file. Use the UI to configure this prior to exporting your template job.
An example of this configuration is below for reference only:
{
"programName": "SecuLast Malware Threat Intelligence v1.0",
"programVersion": "1.0.2",
"jobName": "SecuLast Malware Threat Intelligence",
"allowOnDemand": true,
"publishAuth": false,
"scheduleType": "Daily",
"scheduleCronFormat": "0 0 19-23/2,0-18/2 ? * *",
"scheduleStartDate": 1571756361381,
"enableNotifications": false,
"notifyOnFailure": false,
"notifyOnPartialFailure": false,
"notifyOnComplete": false,
"notifyEmail": "",
"notifyIncludeLogFiles": false,
"params": [
{
"name": "tc_owner",
"preventUpdates": true,
"default": "SecuLast Malware Threat Intelligence"
},
{
"name": "feed_type",
"preventUpdates": false,
"default": "C2Addresses|C2Hosts|Files"
},
{
"name": "api_key",
"encrypt": true,
"preventUpdates": false
},
{
"name": "tc_log_level",
"preventUpdates": false,
"default": "warning"
}
]
}
The default value of tc_owner in this file should match the value of the sourceName parameter inside the “feeds” section of the install.json file. In other words, the default value of tc_owner should match install.json: feeds[0] -> sourceName. This must be hard-coded in this job file.
Custom Attributes
Follow the steps in the References - Creating Custom Attributes document in order to create a new custom attributes JSON file to include with your integration. This file must be named attributes.json when included in your integration and should live in the same folder as the install.json file.