Feed API Services

Overview

Feed API Service Apps simplify and automate the near-real-time ingestion of enriched data from a feed into ThreatConnect. They use the Feed Deployer to create and configure a Source for initial data ingestion and a Service to manage and monitor ongoing data ingestion into the Source. The Service includes a user interface (UI) that provides information such as the number and types of objects downloaded into the Source, a breakdown of data ingestion tasks such as monitoring and downloads, runtime analytics, and batch errors that occurred during download. You can also download JavaScript® Object Notation (JSON) files for individual data objects from the feed and then upload the data into ThreatConnect.

Before You Start

User Roles

• To install a Feed API Service App, your user account must have a System role of Administrator.
• To deploy a Feed API Service App to an Organization, your user account must have a System role of Administrator.
• To view and manage a Feed API Service in your Organization, your user account must have an Organization role of Organization Administrator.
• To view and manage a Feed API Service in any Organization on a ThreatConnect instance, your user account must have a System role of Administrator.
• To add an Organization as a member of a Feed API Service App’s Source, your user account must have a System role of Administrator, Operations Administrator, or Accounts Administrator. 

Install a Feed API Service App 

Follow these steps to install a Feed API Service App on your ThreatConnect instance:

1. Log into ThreatConnect with a System Administrator account .
2. From the Settings menu on the top navigation bar, select TC Exchange Settings. 
3. Select the Catalog tab on the TC Exchange™ Settings screen.
4. Locate the Feed API Service App on the Catalog tab.
   Hint

   To display only Service Apps on the Catalog tab, select Service Apps from the dropdown to the left of the search bar. Feed API Service Apps have FeedApiService displayed in the Category column.
5. Click Install in the Options column for the App.
6. Click INSTALL in the App's Release Notes window.
7. After you install the Feed API Services App, the Feed Deployer opens automatically. See the “Deploy a Feed API Service to an Organization” section for instruction on how to use the Feed Deployer to deploy the Source to an Organization and configure the Feed API Service. 

Deploy a Feed API Service App to an Organization

Feed API Service Apps leverage the Feed Deployer to create a Source for data ingestion from the feed in an Organization and to configure the Service’s ingestion and authentication parameters. After you install a Feed API Service App on your ThreatConnect instance, you can deploy it to any Organization. It must be deployed separately for each Organization in which you want to create a Source for data ingestion and a corresponding Service.

Follow these steps to enable a Service created for a Feed API Service App manually after deploying the App’s Source:

1. Log into ThreatConnect with a System Administrator account.
2. From the Settings menu on the top navigation bar, select TC Exchange Settings. 
3. Locate the Feed API Service App on the Installed tab. Then select Deploy from the Options ⋮ dropdown.
4. Follow the instructions in Table 1 to fill out the fields in the Feed Deployer window for a deployment of the Feed API Service App.

    

   Name	Description	Required?
   Source Tab
   Sources to Create	Enter the name of the Source for the feed. Note  Unless you are redeploying the feed to an existing Source in an Organization, the name of the Source must be unique on your ThreatConnect instance. It is recommended to add the Organization’s name to the end of the default Source name (e.g., CrowdStrike Falcon Intelligence Engine – Demo Organization) for easy identification of the Source’s owner.	Required
   Owner	Select the Organization in which the Source will be created.	Required
   Activate Deprecation	Select this checkbox to allow confidence deprecation rules to be created and applied to Indicators in the Source.	Optional
   Create Attributes	Select this checkbox to allow custom Attribute Types to be created in the Source.	Optional
   Parameters Tab
   Launch Server	Select tc-job as the launch server for the Feed API Service App.	Required
   Note The rest of the fields on this tab depend on the configuration requirements of the particular Feed API Service App. See that App’s Knowledge Base article for more information.
   Variables Tab
   Note The fields on this tab depend on the authentication and other requirements of the particular Feed API Service App. A variable for each field will be created in the Organization selected in the Owner dropdown on the Source tab. You can view, edit, and delete these variables on the Variables tab of the Organization Settings screen for that Organization.
   Confirm Tab
   Run Feeds after deployment	Select this checkbox to run the Feed API Service immediately after you click DEPLOY on the Feed Deployer window.	Optional
   Confirm Deployment Over Existing Source	This checkbox and a warning message are displayed on the Confirm tab if the Source name entered on the Source tab is already used by a Source owned by the selected Organization. To confirm redeploying the App to the existing Source, select the checkbox. This will activate the DEPLOY button. Otherwise, you must return to the Source tab and either change the Source name or select a different Organization. Warning  When you redeploy a Feed API Service to a Source, existing data in the Source may be overwritten. Redeployment will also create a new Service for the Feed API Service App. It is recommended that you delete the previous Service for the Feed API Service App after the new one is created.	Optional

5. Click DEPLOY on the Confirm tab of the Feed Deployer window to deploy the Feed API Service App in the Organization, which will create a Source for the feed in the Organization and a corresponding Feed API Service.

View and Manage a Feed API Service

After a Feed API Service App is deployed in an Organization, you can view and manage the Service on the Services screen.

View a Feed API Service

Follow these steps to view a Feed API Service on the Services screen:

1. From the Automation & Feeds menu on the top navigation bar, select Services.
2. Locate the row for the Feed API Service.
   Hint

   You can select Feed Service from the Service Type dropdown at the upper right to filter the screen to show only Feed API Services.
3. Click the Feed API Service’s row to view a Details drawer with information such as the version of the Feed API Service App and the Service’s description, status, uptime, memory usage, and CPU usage.

Manage a Feed API Service

You can manage a Feed API Service in the following ways:

• Enable/Disable: Toggle the slider in the Enable column to enable or disable the Service.
• Edit: Select Edit… from the Service’s Options ⋯ menu to open the Edit Service drawer. The Edit Service drawer has three tabs that allow you to do the following:
  • Select: Edit the Service’s name and view its type and the name of the Feed API Service App.
  • Configure: Edit the Service’s configuration parameters, including the API path for its UI and email notifications and number of restart attempts on failure.
  • Parameters: Edit the Service’s authentication and ingestion parameters. These are the parameters that were entered on the Parameters and Variables tabs of the Feed Deployer.
    Hint

    The Options ⋯ menu also provides options to download logs for the Service, enable or disable run on startup for the Service, select an Environment for remote execution, select the Service’s log level, view the Service’s Details drawer, and delete the Service
  • Feed API Service UI: Click the link in the API Path column for an enabled Feed API Service to open the Service’s UI. Each Feed API Service has a unique API path. For instruction on the UI for a particular Feed API Service, see the ThreatConnect Knowledge Base article for the corresponding Feed API Service App.

Add an Organization as a Member of a Feed API  Service's Source

The Organization in which a Feed API Service is deployed is the owner of the Source created for the feed. Follow these steps to add other Organizations as members of the Source, which will allow users in those Organizations to access the Source’s data:

1.  From the Settingsmenu on the top navigation bar, select Account Settings. 
2. Select the Communities/Sources tab. 
3. Locate the row for the Source.
4. Click Community Membershipin the Options column. 
5. Fill out the fields on the Community/Source Membership window (Figure 1) as follows: 

    

   • Add All Organizations: Select this checkbox to add all Organizations on your ThreatConnect instance as a member of the Source.
   • Organizations: Enter the name of individual Organizations to add as a member of the Source.
   • Default Role: Select the default Community role in the Source for all user accounts in the Organizations.
     Hint

     The term “Community role” refers to a user’s owner role in a Community or Source.
   • Default API Role: Select the default Community role in the Source for all API accounts in the Organizations.
   • Allow Data Copy: Select this checkbox to give the Organization data copy permission for the Source. This means that users in the Organizations whose Community role of Director, Editor, or Contributor in the receiving Community or Source.
     Note

     Users in Organizations with data copy permissions in a Source can also copy data from the Source into other Communities and Sources their Organization belongs to if they have a Community role of Director, Editor, or Contributor in the receiving Community or Source.

   • Click Save.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
CrowdStrike^® is a registered trademark, and CrowdStrike Falcon Intelligence™ is a trademark, of CrowdStrike, Inc.

20143-01 v.03.A