This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Ingesting threat intel that use APIs like CrowdStrike Intelligence API

Anonymous
Not applicable

‎2021-04-14 10:42 PM

I'm interested in hearing about other peoples approaches to ingesting Intel through providers that utilise APIs like CrowdStrike intelligence.

Right now they provide NetWitness feed files to add into the platform but it's a manual process and I'm looking to automate it.

If you're using API based threat intel providers, how do you get it into NetWitness? Are you writing custom scripts to pull from the APIs and then output to NW format CSV for example 

Thanks.

0 Likes
2 REPLIES 2

JoshRandall
Valued Contributor Valued Contributor
Valued Contributor

‎2021-04-15 04:06 PM

@Anonymous 

There are a few examples scattered around Link with examples and details on how to accomplish this kind of activity. The best is probably from David Waugh in his post Extracting Event Time from Logs. Though it's a bit dated now, the content is still applicable.

The portion that applies to your ask is his UTCAdjustFeed.sh script.  If you need to create the feed file from a CSV, then the NwConsole "feed create" command will be necessary.

If you already have a feed file (Crowdstrike had these in the past, not sure if they still do) then you could jump right to the feed transfer and notify steps.

You could even merge those last 2 (transfer and notify) into a single API command using the "/decoder/parsers/upload" node. This will upload the feed and notify the service all at once; e.g.:

curl -k --user admin:netwitness --data-binary '@</PATH/TO/FILE.FEED>' -H 'Content-Type: application/octet-stream'  -X POST 'https://<DECODER:PORT>/decoder/parsers/upload?msg=upload&op=start&filename=<FILENAME.FEED>'
JoshRandall_1-1618517031708.png

Mr. Mongo
0 Likes

Anonymous
Not applicable
In response to JoshRandall

‎2021-04-16 07:41 PM

Thanks for the input @JoshRandall it makes sense. CrowdStrike still has the feed files available for download, I currently do it manually via their web portal, I don't want to do it manually anymore 🙂 hence the question about automating it. Also I find that working with the feed files in terms of offering additional context to the indicators for false positives etc.

CS offer a REST API for their indicators which I might just use the many scripts to download from the API and then perhaps use your suggestions to join the two sides together.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.