Feedly Plugin for Threat Exchange
Feedly Plugin for Threat Exchange
This document explains how to configure the CTE Feedly v1.0.0 plugin with the Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches SHA256 hashes, MD5 hashes, URLs, domains, and IP addresses from Feedly Stream. This plugin also fetches IoCs in MISP format from Feedly Stream.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A Feedly Instance and access to your credentials: Feedly Stream ID, Feedly Enterprise Access Token.
- Connectivity to the following host: https://feedly.com/.
Feedly Plugin Support
Functionality | Is available |
Pull Functionality | Yes |
Push Functionality | No |
Compatibility
Netskope CE: v3.4.1, v4.0.1, v4.1.0
Permissions
Feedly Enterprise Access Token which user can get from Customer Success Manager will be have already needed permission for plugin.
Performance
Instance details:
- Netskope CE 4.1.0
- RAM: 4 GB
- CPU: 4 Core
Data | Time taken to store |
100K | ~25 mins |
API Details
The plugin uses a Feedly third-party library to pull the indicators from the Feedly platform.
Refer to the official documentation for more information on the Feedly SDK.
https://github.com/feedly/python-api-client
The Feedly Enterprise Access Token will be obtained from the Feedly administrator. Refer to the below link for more information.
https://developer.feedly.com/v3/enterpriseTokens/
Workflow
- Get your Feedly credentials.
- Configure the Feedly Plugin for Threat Exchange.
- Validate the Feedly plugin.
Click play to watch a video.
Get your Feedly Configuration Parameters
Create a Feed
- Log in to your Feedly account.
- Click the Power Search icon (as shown).
- Select the Topics that you would like to subscribe to.
- Select from your feed or Across the Web from the top.
- For example, if you just wanted to fetch subscribe Indicators of Compromise, select it.
- Click Follow AI Feed and select the folder in which you want to add the feed. For example, add in a Test Feed.
- Click Add.
- Enter the Feed Name and click FOLLOW AI Feed.
In a few seconds, your feed should be successfully created.
Get your Feedly Stream ID
- Log in to your Feedly account.
- Go to the Feed that you wanted to fetch from the Feedly dashboard.
You should see “Test IoC feed for CTE Plugin”.
- Click on “…” in the top right corner and go to the sharing option.
- Scroll down to the bottom and you’ll see the Feedly Stream ID field. Copy the value; you will need this to configure the Feedly plugin.
Get your Feedly Enterprise Access Token
If you are a Feedly Enterprise customer, please contact your customer success manager at enterprise@feedly.com
Configure the Feedly Plugin
- Log in to Cloud Exchange and go to Settings > Plugins.
- Search for and select the Feedly plugin box to open the configuration page.
- Add a Configuration Name, a Sync Interval, and enable Use System Proxy if needed for connectivity.
- Click Next and Add the Feedly Stream ID, Feedly Enterprise Access Token, Type of IoCs, Enable Tagging and Initial Range(In Days)
- Feedly Stream ID: Stream Id you got previously.
- Feedly Enterprise Access Token: Access token you got previously.
- Type of IoCs: IoC types you want plugin to pull from Feedly Stream.
- Enable Tagging: Select yes if you want tags to be attached with indicators and select no if you don’t want them. By default yes will be selected.
If Yes is selected, then the tags that have more than 50 characters length will be skipped. But they will be present in the IoC comment.
- Initial Range: No. of days from when data needs to be pull on initial run.
- Click Save.
Your new plugin configuration can be seen at Threat Exchange > Plugins.
Validate the Feedly Plugin
Validate in Cloud Exchange
- Go to Threat Exchange > Threat IoCs.
- Add a filter for the source configuration of Feedly.
- You will see all the indicators fetched from the Feedly Stream on this page.
Validate in Feedly
- Users can see the feeds made by them in the Team Feeds section of the Feedly dashboard.
IoCs is the feed name, and there are many feeds, as shown in the above image.
- Now to see the indicators of the first feed, click on the feed. You’ll see something similar to what’s shown below.
Per the above screenshot, you can see that two IoCs were found. Specifically, there are two domains.
- Users can also see the actual IoCs in the highlighted section. Refer to the below screenshot.