Page tree

Contents

Customers can submit/upload their own threat indicators and share them with other organizations or groups that they have the rights to do so. Submitted data is available via Dossier and Indicator searches on the portal and through the Data API. Data Governance Policies allow organizations to control how their submitted data is shared with other organizations or groups on the platform. Infoblox can enable accessing and data sharing between organizations upon request. Policies can be used for multiple data submissions and are only visible within your organization.

Data profiles are used to identify data in the platform from one or many data submissions. A data profile must be specified when data is submitted. Data profiles are associated with governance policies, which control who can access the data. When a data profile is created it must be associated with a governance policy.

Users can submit threat indicators on the portal or via Data API. In order to submit data, the following is required:

1. A governance policy: Defines how data is shared.
2. A data profile: Defines if standard TTL should be used and a governance policy.

Users can submit data using the following formats: JSON, CSV, XML, TSV (tab separated values). For all data formats, the submitted data must identify the data/record type in addition to the list of data records. For CSV and TSV the record type must be provided as one of the columns. For JSON and XML the record type is defined in a separate top-level field. The record type field can be one of the following values: host, ip, or url. It is not possible to upload data using different profiles or different record types in the same file. Threat data consists of file-level fields and record-level fields. The following table contains descriptions of all available fields:

Threat Data Fields
Field NameDescription
File-level fields
profiledata profile id or name
record_typehost, ip, or url
external_idstring indicating an external ID to assign to the batch
recordsurrounds the individual record(s) in the XML and JSON formats
Record-level fields
hostthreat hostname
ipthreat IP address
urlthreat URL
propertythreat type
targettarget of threat
detecteddate/time threat was detected, in ISO 8601 format
durationduration of this threat in XyXmXwXdXh format, the expiration date will be set to the detected date + this duration


The following listing contains a sample data submission in XML format:

<feed>
 <profile>SampleProfile</profile>
 <record_type>ip</record_type>
 <record>
  <ip>127.1.0.1</ip>
  <property>Phishing_Phish</property>
  <detected>20170602T154742Z</detected>
 </record>
 <record>
<ip>8.8.8.8</ip>
 <property>Scanner_Generic</property>
 <detected>19980927T154242Z</detected>
 <duration>42y0m0w0d42h</duration>
 </record>
</feed>


The following listing contains a sample data submission in JSON format:

{
  "feed": {
   "profile": "SampleProfile",
   "record_type": "host",
   "record": [
   {"host": "www.google.com", "property": "Scanner_Generic", 
   "detected": "19980927T154242Z", "duration":"42y0m0w0d42h"},
   {"host": "www.example.com", "property": "Phishing_Phish", 
   "detected": "20170602T154742Z"}
   ]
  }
}


The following listing contains a sample data submission in CSV format:

record_type,url,profile,detected,property
url,"https://example.com/page1.html","SampleProfile","20170602T154742Z",
"UnwantedContent_Parasite"
url,"http://example.com/gift.html","SampleProfile","20170602T154742Z", "Scam_FakeGiftCard"

The recommended limit for the number of records in a given data submission is 50,000. The maximum number of records should be no more than 60,000 at this point in time.



  • No labels

This page has no comments.