All Feeds

The base system includes a series of cards for each of the feeds that you can enable and use.

The Feeds can be viewed by navigating to Workspaces > Threat Intelligence Security Center > Integrations > Threat Intel Feeds > All Feeds.

Actions on the All Feeds view

The All Feeds section enables you to perform the following actions.

Table 1. Actions on All Integrations view

Action	Description
All	Use this drop-down menu to filter feeds based on their current state. You can filter based on the following states: All: Displays all the feeds on the page. This is the default option. Enabled: Displays all the feeds that are in an enabled state. Disabled: Displays all the feeds that are in a disabled state. Draft: Displays all the feeds that are in a draft state.
	Use this action to view all the feeds in the form of cards.
	Use this action to view all the feeds in the form of a list view.
	Use this action to refresh the page.
	Use this action to sort all the integrations based on the following: Last Modified (recent) Last Modified (oldest) Name (A-Z) Name (Z-A)
All items	Use this action to filter and list the threat intelligence feed tiles by source type or feed type. Source Type: Open Source Other Source Premium Source Feed Type: CSV Custom Feed JSON MISP RSS STIX HTTPs Text
Search in catalog	Use this action to search for feeds based on the name and description within the catalog.

Configure new threat intelligence feed data source

To configure a new threat intelligence feed data source, follow the procedure:

1. Navigate to Workspaces > Threat Intelligence Security Center.
2. Click on Integrations icon.
3. Select Threat Intel Feeds > All Feeds.
4. Click Configure new source. The various feed types are displayed.

   

5. Select the respective feed type. For example, MISP.
6. Click Select.
7. On the form, fill in the fields.

   Table 2. Create New Data Source

   Field	Description
   Name	Enter a name for the feed.
   Description	Description of the feed.
   Feed Type	The feed type. For example, MISP. By default, this value is displayed based on the type of feed that you selected from the Catalog.
   Logo	Attach the logo of the source feed.
   Industry	Select the industry category such as Aerospace, Agriculture, and so on for which the feed data source is applicable to.
   Source Type	Select the type of source from the list of available source types. List of available sources are: Government ISACs Open Source Premium Source Other Source

   Fill in the fields in the Configuration section, as appropriate.

   Table 3. Configuration

   Field	Description
   Expiry period (days)	Enter the expiry period for the feed in days. For example, 180 days. Note: Whatever the data that is ingested from the source will be expired 180 days after the ingestion.
   Use REST Message	Select Use REST Message check box if you need to use REST Message/REST Method functionality that is provided by ServiceNow AI Platform. If this checkbox is not selected, then the application uses the endpoint provided in REST Endpoint URL to fetch the data from the feed. For more information, see Outbound REST web service on ServiceNow AI Platform documentation. Note: The REST message and REST method fields are mandatory when you select the REST message.
   REST Message	Select the REST Message record from the list of REST message records which are already configured in the instance. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation. Note: Select this value when you need to view specific headers, and define the REST related records using the REST message option.
   REST Method	Select REST Method from the list of available REST Methods configured for the selected REST Message. For more information, see Outbound REST web service on the ServiceNow AI Platform documentation.
   Confidence	Set the confidence for all the applicable records that are ingested through this specific feed. Note: Set the confidence between 0-100 for this source.
   REST endpoint URL	Enter the REST endpoint URL where the data is hosted by the data source.
   Authentication Required	Select this check box if authentication is required for your new data source. Note: Add a statement mentioning this is only applicable when REST Endpoint URL is being used to retrieve the data.
   Authentication Type	The authentication type for the source feed. Following are the authentication types that are configured and provisioned within the base system for the users: API ID / API Key API ID / API Secret API Key API Key / API Secret API Username / API Password / API Key Basic Authentication Note: The authentication type in the base system for the custom source feed type are Client ID and Client Secret.
   Headers to be passed with request	Any headers to be passed with the requests can be provided in Request Header Mapping. Header should be provided in key-value pair separated by colon(':'). Each header key value pair should be provided in a new line. For providing authentication parameters as header values, enclose the required Authentication Label with '${' and '}$'. For example, x-api-key:${API Key}$.
   Advanced	Select this check box to define custom integration script and report processor script. Note: When you select this check box, the Integration script and Report Processor fields will be appeared for you to select the custom scripts.
   Integration script	Integration script invokes a call to the REST Endpoint URL using the authentication parameters and the headers as configured in the feed, and then the script fetches the data that is available from the specific feed. Within the base system following are the custom scripts includes, which are provisioned within the application for the integrations scripts: FeedDatasourceIntegrationBase MITRESourceIntegration RSSFeedDatasourceIntegration SimpleFeedDatasourceIntegration SimpleMISPFeedDatasourceIntegration The default integration script is based on the feed type that you select. For example, if you select MISP feed type which is a standard format to process and fetch the data then the integrations script is SimpleFeedDatasourceIntegration. Note: For the Custom integration scripts, you can create a script include by extending FeedDatasourceIntegrationBase and override the required methods.
   Report processor	The report processor script processes the data that is fetched form the feed using integration script. Within the base system following are the custom scripts includes, which are provisioned within the application for the integrations scripts: FeedDatasourceResponseProcessor MITRECollectionDataProcessor RSSFeedDatasourceResponseProcessor SimpleFeedDatasourceResponseProcessor SimpleMISPFeedDatasourceResponseProcessor TAXIIV2CollectionDataProcessor The default Report Processor for STIX HTTPS is TAXIIV2CollectionDataProcessor. By default, this option is displayed and you cannot modify or select any other report processor.

   Fill in the fields in the Scheduling section, as appropriate.

   Table 4. Scheduling

   Field	Description
   Run	Set the frequency at which you want to ingest the records. The feed will run and execute based on the scheduling job interval. The available job intervals are: Daily Weekly Monthly Periodically Once On Demand Business Calendar: Entry Start Business Calendar: Entry End Note: By default, the frequency is set to On Demand. For more information, see Scheduled Jobs and how to Automatically run a script of your choosing.
   Fetch Data From	The start date from when the data needed to be fetched. This field should be set with the time from when the data needs to be ingested from the corresponding source. Once this field is set, the next ingestion run would fetch the data from the configured time and consecutive ingestion runs would fetch incremental Data. For example, Source is scheduled to ingest the data every hour. The user sets Fetch Data From to Jan 12 6:00AM on Jan 12 9:30AM, the ingestion triggering on Jan 12 10:00AM would fetch the data from Jan 12 6:00AM to Jan 12 10:00AM. The next ingestion that triggers at 11:00AM would fetch only the incremental data from Jan 12 10:00AM to Jan 12 11:00AM. Note: This means the scheduled runs will fetch data incrementally starting from the specified date onwards.

   Table 5. Tags

   Field	Description
   Select Tags	Use the tags to annotate or ear mark records that are ingested into the system from this source. Start entering the tag name in the Search bar to choose the available tags in the application or enter new tag name and click Add to assign it to the source.

8. Click the Save action to store and create the feed.

   The provided details are validated, and by default the feeds status is disabled.

9. (Optional) Click the Save as Draft action to only store the feed configurations as draft. Users cannot enable a feed when it is saved in draft.

   If you're not sure about the configuration details, you can use the Save as Draft option. After you get the configuration details, you can fill the remaining information in the draft version and create it.

10. To enable the feed, click Enable.
    The feed is enabled successfully. You can also enable, disable, or delete a particular feed by using the Actions menu of the required feed tile on the Catalog or Threat Intel Feeds page.

    Note:

    If the Run Frequency is set to On Demand in the Scheduling section of the data source form page then whenever you enable the integration, a message prompt is displayed alerting the users that they have now successfully enabled the source. You must change the run frequency to enable the source configuration to automatically ingest data.
11. Click Enable to enable the record.
    Once the feed data source record is enabled, you can execute the record to run the integration.

    Note:

    The data source record is labelled and indicated as enabled. Similarly, you can disable the data source feed by clicking Disable button.
12. Click Delete to delete the feed data source record.
13. Select Integrations Run section to verify the run details.

Types of Threat Intel Feeds

For the next steps in the procedure, refer to the respective section for configuring a each specific feed type. Threat Intelligence Feeds.