Feed API Services

Overview

Feed API Service Apps enable you to deploy a Source using a Service instead of a Job. This method allows for data to stream into the Source in near real time rather than periodically based on when a corresponding Job is scheduled to run.

You can install Feed API Service Apps via TC Exchange™ and deploy a Feed API Service App’s Source to an Organization on your ThreatConnect^® instance with the Feed Deployer. When you deploy a Feed API Service App’s Source, the following will occur:

• the Source will be created in the owner selected during the feed-deployment process;
• a Service for the App will be created automatically;
• an API user will be created automatically and attached to the Service so that it can upload data to the Source.
  Important

  The API user created during this process will not be displayed on the Membership tab of the Organization Settings screen or when retrieving users via the ThreatConnect v3 API.

Before You Start

Installing a Feed API Service App and Deploying its Source Feed

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over Settings  and select TC Exchange Settings. The Installed tab of the TC Exchange Settings screen will be displayed.
3. Click the Catalog tab. The Catalog screen will be displayed.
4. Locate a Feed API Service App (CrowdStrike^® Falcon Intelligence™ Engine in this example) and install it by clicking Install in the Options column.
   Note

   To display only Feed API Service Apps on the Catalog screen, select Apps from the leftmost dropdown menu along the top of the screen and then select Service Apps from the dropdown menu to the left of the search bar. Feed API Service Apps will have FeedApiService listed as their category in the Category column.
5. After the desired Feed API Service App is installed, click the Installed tab of the TC Exchange Settings screen. The Installed screen will be displayed.
6. Locate the installed Feed API Service App, click the vertical ellipsis in the Options column, and select Deploy. The Source tab of the Feed Deployer window will be displayed (Figure 1).

   

    

   • Sources to Create: Enter a name for the Source to be created.
     Note

     You can deploy a Feed API Service App's Source multiple times to a single Organization on your ThreatConnect instance. When doing so, you must enter a unique name for the Source to be created each time it is deployed.
   • Owner: Select the Organization in which the Source will be created.
   • Activate Deprecation: Select this checkbox to allow the creation of Deprecation Rules for Indicators in the Source.
   • Create Attributes: Select this checkbox to allow the creation of custom Attribute Types in the Source.
   • Click the Next button.
     Important

     If a Feed API Service App’s Source is already deployed in another Organization on your ThreatConnect instance, a message will be displayed at the top of the Source tab stating that the Source can only be redeployed to that owner.
7. The Parameters tab of the Feed Deployer window will be displayed (Figure 2).

   

    

   • Launch Server: Select the server on which the Service corresponding to the Feed API Service App will launch. It is recommended to select tc-job.
   • Fill out the specified parameters, if any, for the Feed API Service App.
   • Click the Next button.
8. The Variables tab of the Feed Deployer screen will be displayed (Figure 3).

   

    

   • Configure the specified variables, if any, for the Feed API Service App. These variables will be created in the Organization selected from the Owner dropdown on the Source tab (Figure 1).
   • Click the Next button.
9. The Confirm tab of the Feed Deployer window will be displayed (Figure 4).

   

    

   • Review the settings configured for the Feed API Service App.
   • Run Feeds after deployment: Select this checkbox to enable the Service corresponding to the Feed API Service App automatically after deploying the Source. If you leave this checkbox cleared, you must navigate to the Services tab of the Playbooks screen and enable the Service manually, as detailed in the “Activating a Feed API Service” section.
   • Click the DEPLOY button. The Feed Deployer window will close, and a message will be displayed along the top of the TC Exchange Settings screen confirming that the Source was deployed in the selected owner.

Activating a Feed API Service

Follow these steps to enable a Service created for a Feed API Service App manually after deploying the App’s Source:

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed (Figure 5).

   

    

3. Toggle the Feed Service slider on to activate the Feed API Service.
   Note

   The API path for Feed Services includes a randomly generated string of characters (xgfazvcl in Figure 5) to ensure that there are no conflicts to the API path if the Feed API Service App's Source is deployed multiple times on your ThreatConnect instance.

Editing a Feed API Service

To edit a Feed API Service’s configuration and parameters, click the vertical ellipsis in the Options column on the Services tab of the Playbooks screen (Figure 5) and select Edit. For further instruction on editing a Service, see Playbook Services.

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
CrowdStrike^® is a registered trademark, and CrowdStrike Falcon Intelligence™ is a trademark, of CrowdStrike, Inc.

20143-01 v.01.A