Fetch Sources from a URL

• If you are ingesting a flat file, choose a Type that describes the data contained within the source.

• If the host server requires an encrypted connection, configure the SSL Settings as described in Configure TLS/SSL Settings for a Threat Intelligence Director Source.

• For Name: To simplify sorting and handling of incidents based on threat intelligence director indicators, use a consistent naming scheme across sources. For example, <source>-<type>.

  Including the source name simplifies returning to the source for further information or feedback.

  Be sure to enter the name consistently. For example, for a source with IPv4 addresses, you might always use IPV4 (not IPv4 or ipv4 or IP_v4 or IP_V4 or ip-v4 or IP-v4, IP-V4, etc.)

• If you are ingesting a STIX file, Block is not an Action option, as STIX data can contain complex indicators, which the system cannot block. Devices (elements) store and take action based on single observables; they cannot take action based on multiple observables.

  However, after ingestion, you can block individual observables and simple indicators obtained from the source. For more information, see Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level.

• Set an update frequency that makes sense for how often the data source is updated. For example, if the source is updated 3 times per day, set your update interval to 1440/3 or 480 minutes to regularly capture the latest data.

• After the number of days you specify for the TTL interval, threat intelligence director deletes:

  • all of the source's indicators that are not included in subsequent source updates.

  • all observables not referenced by a surviving indicator.

When this option is enabled, the system automatically publishes the initial source data and any subsequent changes.

For details, see Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level.