public class ThreatstreamMalwareSiteUpdateService extends BaseThreatFeedUpdateService
https://api.threatstream.com/api/v1/intelligence/
This implementation imports Threat Feeds into FortiSIEM System via CMDB->Blocked Domains->Threat Stream Domain.
In this implementation, the following type of Feeds are downloaded and parsed to import into FortiSIEM system: "c2_domain", "compromised_domain", "mal_domain", "dyn_dns", "apt_domain".
This implementation can be served as an example for how to implement your own service to download Feeds not in plain CSV text format.
Before using this class, please go to https://api.threatstream.com/ to find out whether you can use it in your environment legally.
DEFAULT_CSV_QUOTE_CHARACTER, DEFAULT_CSV_SEPARATOR
Constructor and Description |
---|
ThreatstreamMalwareSiteUpdateService() |
Modifier and Type | Method and Description |
---|---|
String |
download(ServiceContext context)
The function to download External Thread Feeds from a third party web
site.
|
Map<String,List<ThreatFeedDTO>> |
parse(ServiceContext context,
String filePath,
String parentGroup,
List<String> childGroups)
The function to parse the Threat Feeds downloaded by the download
function.
|
appendCondition, download, download, getMaxReadLines, getReadByte, getStartLine, parseLine, setBackReadResult
public ThreatstreamMalwareSiteUpdateService()
public String download(ServiceContext context)
BaseThreatFeedUpdateService
The default implementation of this function downloads all the available Threat Feeds and saves the downloaded raw content to a local file as same format as defined in the web site and return the file name as the result. This download method supports HTTP(s) Basic Authorization only.
This default implementation can be overwritten if this default implementation doesn't meet the API requirement of the third party web site.
download
in class BaseThreatFeedUpdateService
context
- The service context that holds setup parameters
needed for the download.ServiceContext
public Map<String,List<ThreatFeedDTO>> parse(ServiceContext context, String filePath, String parentGroup, List<String> childGroups) throws UnsupportedEncodingException, FileNotFoundException, IOException
BaseThreatFeedUpdateService
This API must be implemented to parse and convert a downloaded Threat
Feed into ThreatFeedDTO
object.
If you assign any Threat Feeds to a child group that doesn't exist in CMDB yet, this child group will be created during importing these Threat Feeds to this child group in CMDB. Also, if you would like assign the downloaded Threat Feeds to a child group, not the parent group named as 'groupName', you should not assign any of the Threat Feeds to this parent group in the return mapping.
parse
in class BaseThreatFeedUpdateService
context
- The service context which holds set up parameters
you may need for parsing.filePath
- The file path or the download Content String that will be
parsed by this function.parentGroup
- The CMDB group name that is being set up to schedule to
download Threat Feeds.childGroups
- a list of child groups under the group 'groupName'
that may hold the downloaded Threat Feeds.UnsupportedEncodingException
FileNotFoundException
IOException
ServiceContext
,
ThreatFeedDTO
Copyright © 2019. All rights reserved.