Threat intelligence feed

With a Threat Intelligence Plus license, you can leverage the Threat Intelligence feed API within your security tools. Developers can use this API to access information that is also available in the IoC lists, in a format suitable for automated ingestion setup.

The Threat Intelligence feed uses the industry standard TAXII (Trusted Automated eXchange of Intelligence Information) version 2.1 and STIX (Structured Threat Information eXpression) to share indicators of compromise (IoCs) and metadata.

For more information about TAXII, see Introduction to TAXII. For more information about STIX, see Introduction to STIX.

You can use the Threat Intelligence feed to receive IoCs such as malicious IP addresses, domains, file hashes, and URLs. The feed also provides additional metadata such as the age of the indicator, when it was last seen, its source, and more. Use the feed to automatically ingest indicators into your security tools that support STIX and TAXII standards. Some tools let you import indicators, for example importing malicious IP addresses into firewalls to block malicious activity, or importing file hashes into endpoint protection platforms to block known malicious files.

You can also use the Threat Intelligence feed within other control points, like intrusion detection or prevention systems, or web proxies to enable more comprehensive and up-to-date protection across your entire security ecosystem.

Create a token

You must create a token to access the Threat Intelligence feed. The created token works with both basic and API token authentication methods.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Threat Intelligence > Threat Intelligence Feed.
  3. Click Create New Token.
    The New Token dialog opens.
  4. Optional: In the Notes field, enter a description of the token. For example, enter the name of the security tool that you are using the API with.
  5. Click Generate Token.
    A new raw token and HTTP token appear in the Token table.
  6. Find the appropriate token in the table, and then click Copy to copy the token to your clipboard.

API specification

The Threat Intelligence feed API specification is available at https://cti.arcticwolf.com.

Test the API

Test the Threat Intelligence feed API in the Arctic Wolf Unified Portal to confirm that the API is working as expected, understand how requests and responses are structured, and experiment safely before making any API calls.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Threat Intelligence > Threat Intelligence Feed.
  3. For the token that you want to use, click Copy to copy the token to your clipboard.
  4. Click Test API.
    The AWN TAXII API Server page opens.
  5. Click Authorize.
    The Available authorizations dialog opens.
  6. In the Value field, paste the token that you copied from the Arctic Wolf Unified Portal.
  7. Click Authorize.
  8. Click Close.
  9. For the information that you want to get from the API, click the appropriate GET request, such as GET /taxii2/.
  10. Click Try it out.
  11. Click Execute.
    Note: Some requests have dependencies. For example, if you want to review collections information, you must include the apiRoot value before clicking Execute.
    You can review the output of the API call, including the query sent to the API and the response from the TAXII server.

Sample API call

Use your preferred API tool to authenticate and make API calls to the Threat Intelligence feed. These steps use Postman to call the API.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Threat Intelligence > Threat Intelligence Feed.
  3. For the token that you want to use, click Copy to copy the token to your clipboard.
  4. Open your preferred API platform or tool, such as Postman.
  5. In Postman, click New > HTTP Request.
  6. Set the request method to GET.
  7. In the URL field, enter the appropriate URL, for example:
    CODE 
    https://cti.arcticwolf.com/feeds/api/
  8. Click Authorization to enter your credentials.
  9. Make sure that Basic Auth is selected.
  10. In the Password field, paste the token that you copied from the Arctic Wolf Unified Portal.
  11. Click Send to make the API call.
    The API returns the information that you requested in JSON format.