- 22 Mar 2023
- 6 Minutes to read
-
Print
-
DarkLight
Feed API Services
- Updated on 22 Mar 2023
- 6 Minutes to read
-
Print
-
DarkLight
Overview
Feed API Service Apps enable you to deploy a Source using a Service instead of a Job. This method allows for data to stream into the Source in near real time rather than periodically based on when a corresponding Job is scheduled to run.
You can install Feed API Service Apps via TC Exchange™ and deploy a Feed API Service App’s Source to an Organization on your ThreatConnect® instance with the Feed Deployer. When you deploy a Feed API Service App’s Source, the following will occur:
- the Source will be created in the owner selected during the feed-deployment process;
- a Service for the App will be created automatically;
- an API user will be created automatically and attached to the Service so that it can upload data to the Source.ImportantThe API user created during this process will not be displayed on the Membership tab of the Organization Settings screen or when retrieving users via the ThreatConnect v3 API.
Before You Start
Minimum Role(s) |
|
---|---|
Prerequisites | None |
Installing a Feed API Service App and Deploying its Source Feed
- Log into ThreatConnect with a System Administrator account.
- On the top navigation bar, hover over Settingsand select TC Exchange Settings. The Installed tab of the TC Exchange Settings screen will be displayed.
- Click the Catalog tab. The Catalog screen will be displayed.
- Locate a Feed API Service App (CrowdStrike® Falcon Intelligence™ Engine in this example) and install it by clicking Install in the Options column.NoteTo display only Feed API Service Apps on the Catalog screen, select Apps from the leftmost dropdown menu along the top of the screen and then select Service Apps from the dropdown menu to the left of the search bar. Feed API Service Apps will have FeedApiService listed as their category in the Category column.
- After the desired Feed API Service App is installed, click the Installed tab of the TC Exchange Settings screen. The Installed screen will be displayed.
- Locate the installed Feed API Service App, click the vertical ellipsisin the Options column, and select Deploy. The Source tab of the Feed Deployer window will be displayed (Figure 1).
- Sources to Create: Enter a name for the Source to be created.NoteYou can deploy a Feed API Service App's Source multiple times to a single Organization on your ThreatConnect instance. Similarly, you can deploy a Feed API Service App’s Source to multiple Organizations on your ThreatConnect instance. In either scenario, you must enter a unique name for the Source to be created each time it is deployed.
- Owner: Select the Organization in which the Source will be created.
- Activate Deprecation: Select this checkbox to allow the creation of Deprecation Rules for Indicators in the Source.
- Create Attributes: Select this checkbox to allow the creation of custom Attribute Types in the Source.
- Click the Next button.ImportantIf a Feed API Service App’s Source is already deployed in another Organization on your ThreatConnect instance, a message will be displayed at the top of the Source tab stating that the Source can only be redeployed to that owner.
- Sources to Create: Enter a name for the Source to be created.
- The Parameters tab of the Feed Deployer window will be displayed (Figure 2).
- Launch Server: Select the server on which the Service corresponding to the Feed API Service App will launch. It is recommended to select tc-job.
- Fill out the specified parameters, if any, for the Feed API Service App.
- Click the Next button.
- The Variables tab of the Feed Deployer screen will be displayed (Figure 3).
- Configure the specified variables, if any, for the Feed API Service App. These variables will be created in the Organization selected from the Owner dropdown on the Source tab (Figure 1).
- Click the Next button.
- The Confirm tab of the Feed Deployer window will be displayed (Figure 4).
- Review the settings configured for the Feed API Service App.
- Run Feeds after deployment: Select this checkbox to enable the Service corresponding to the Feed API Service App automatically after deploying the Source. If you leave this checkbox cleared, you must navigate to the Services tab of the Playbooks screen and enable the Service manually, as detailed in the “Activating a Feed API Service” section.
- Click the DEPLOY button. The Feed Deployer window will close, and a message will be displayed along the top of the TC Exchange Settings screen confirming that the Source was deployed in the selected owner.ImportantIf a Feed API Service App’s Source has already been deployed to the selected Organization, a Confirm Deployment Over Existing Source checkbox will be displayed on the Confirm tab of the Feed Deployer window (Figure 4). Select this checkbox and click the DEPLOY button to redeploy the Feed API Service App’s Source in the Organization. This process will create a new Service for the Feed API Service App. As such, it is recommended to delete the old Service associated with the Feed API Service App after the new one is created.
Activating a Feed API Service
Follow these steps to enable a Service created for a Feed API Service App manually after deploying the App’s Source:
- Log into ThreatConnect as a System Administrator or an Organization Administrator for an Organization in which a Feed API Service’s Source was deployed.
- On the top navigation bar, hover over Playbooks and select Services. The Services tab of the Playbooks screen will be displayed (Figure 5).
- Toggle the Feed Service slider on to activate the Feed API Service.NoteThe API path for Feed Services includes a randomly generated string of characters (xgfazvcl in Figure 5) to ensure that there are no conflicts to the API path if the Feed API Service App's Source is deployed multiple times on your ThreatConnect instance.
Editing a Feed API Service
System and Organization Administrators can edit a Feed API Service’s configuration and parameters by clicking the vertical ellipsisin the Options column on the Services tab of the Playbooks screen (Figure 5) and selecting Edit. For further instruction on editing a Service, see Playbook Services.
Adding a Feed API Service App's Source to Multiple Organizations
A Feed API Service App’s Source may be deployed to only one Organization on a ThreatConnect instance. Follow these steps to add the Source to other Organizations after it has been deployed to an Organization on your instance:
- Log into ThreatConnect with an Accounts Administrator, Organization Administrator, or System Administrator account.
- On the top navigation bar, hover over Settingsand select Account Settings. The Organizations tab of the Account Settings screen will be displayed.
- Click the Communities/Sources tab. The Communities/Sources screen will be displayed.
- Enter the Source’s name into the search bar at the top left and then click Searchor press the Enter key on your keyboard. The Source will be displayed in the results table (Figure 6).
- Click Community Membershipin the Options column. The Community/Source Membership window will be displayed (Figure 7).
- Add All Organizations: Select this checkbox to add the Source to all Organizations on your ThreatConnect instance.
- Organizations: Enter the name of an Organization to which the Source is to be added. As characters are entered, a list will be displayed from which you can select a single Organization or the ADD ALL ABOVE option to add the Source to all Organizations displayed in the list.
- Default Role: Select the default Community role that all user accounts in the selected Organization(s) will be given in the Source.
- Default API Role: Select the default Community role that all API accounts in the selected Organization(s) will be given in the Source.
- Allow Data Copy: Select this checkbox so that data from the Source may be copied into the selected Organization(s).
- Click the SAVE button.
ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
CrowdStrike® is a registered trademark, and CrowdStrike Falcon Intelligence™ is a trademark, of CrowdStrike, Inc.
20143-01 v.02.A