Threat Feed Information

Steps

When an artifact is added to an incident, and if one or more threat feeds are enabled, the artifact will be sent to the Resilient web service (websvc). The request contains the following information:

• The Resilient license data used to authenticate with the websvc
• The artifact value
• A list of threat feeds to query against
• Threat feed API keys (if required by the threat feeds)
• The appliance version to support different client versions

The websvc forwards the artifact to the requested threat feeds only, and only if the feed supports the artifact type. If a feed requires an API key, the supplied key is included in the request to the threat feed. The response is then sent back to the Resilient appliance when it becomes available. The Resilient appliance may poll the websvc multiple times before the data becomes available.

There is no information in the request to the websvc that can be used to directly identify the customer. The API keys are not stored on the websvc, which is why it is included with every request.

*********************

Resilient uses the threat feed data in the following ways:

• Generate a monthly report on aggregated data, for example total requests for each artifact type and total requests to third party threat feeds, in order to monitor the health of the websvc and to determine the effectiveness of the threat feeds.

• Troubleshoot performance issues.