Creating an HTTP Feed
  • 04 Mar 2024
  • 2 Minutes to read
  • Dark
    Light

Creating an HTTP Feed

  • Dark
    Light

Article Summary

Overview

Organization Administrators can set up an ad hoc HTTP Feed (also known as a “screen scrape”) for sources of information in ThreatConnect®. This ability is particularly useful when a more in-depth feed integration with ThreatConnect does not exist. In order for this feature to work adequately, the source of information should be updated with some regularity. When the Feed Monitor finds Indicators at the designated URL, it will import the Indicators according to the configuration.

Before You Start

Minimum Role(s)Organizational role of Organization Administrator
PrerequisitesA Source administered by the Organization

Creating an HTTP Feed

  1. Log into ThreatConnect with an account that has access to the desired Source.
  2. On the top navigation bar, click Posts. The Posts screen will be displayed.
  3. Select a Source using the selector at the upper-right corner of the screen or from the Intelligence Sources section of the My ThreatConnect card on the left side of the screen. The Posts screen for the selected Source will be displayed (Figure 1).

    Graphical user interface, application, Teams  Description automatically generated

     

  4. Click Source Config Icon  Description automatically generated icon at the upper-right corner of the Source card. The Attribute Types tab of the Source Config screen will be displayed.
  5. Click the Data tab. The Data screen will be displayed (Figure 2).

     

  6. Click the + NEW button in the HTTP Feeds section. The Create Source Feed window will be displayed (Figure 3).

    Graphical user interface, application  Description automatically generated

     

    • Name: Enter a name for the Source Feed.
    • URL: Enter the URL to monitor for Indicators.
    • Exclude Indicators: Enter Indicators to be excluded from ingestion by the Source Feed, separated by commas. For instance, threatconnect.com may be present on a web page, but not desired for import.
    • Tags (comma separated): Enter Tags to associate with all Indicators imported by the Source Feed, separated by commas.
    • Description: Enter a general description to be added to the Description Attribute on Indicators imported by the Source Feed.
    • Source: Enter a Source description to be added to the Source Attribute on Indicators imported by the Source Feed.
    • Use this feed for Deletion: Select this checkbox if the Source Feed should use its input to delete Indicators. Otherwise, leave the checkbox cleared to specify that the Source Feed should use its input to create Indicators.
    • Choose Import Options: Select the Indicator type(s) for which the Source Feed should search.
    • Default Threat Rating: Use the skull icons to set the default Threat Rating for Indicators imported by the Source Feed.
    • Default Confidence Rating: Use the slider to set the default Confidence Rating for Indicators imported by the Source Feed.
    • Next Execution Time: Enter the next date and time when the Source Feed will run.
    • Collection Interval (hours): Enter the interval, in hours, at which the feed should collect data.
    • Beginning Buffer: Enter the number of lines at the top of the web page at the URL to exclude from Indicator parsing.
    • Ending Buffer: Enter the number of lines at the bottom of the web page at the URL to exclude from Indicator parsing.
    • Click the SAVE button. The new feed will be displayed in the HTTP Feeds section of the Data screen.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20072-01 v.01.E


Was this article helpful?