WEBVTT 1 00:00:15.432 --> 00:00:15.932 Hello 2 00:00:16.141 --> 00:00:20.145 I'm going to give a quick overview of ThreatQ’s integration with Feedly 3 00:00:20.895 --> 00:00:26.109 The Feedly integration ingests threat intel from articles, blog posts, and RSS feeds coming from Feedly 4 00:00:26.735 --> 00:00:33.408 They have a layer of NLP preprocessing that provides a lot of great context about the articles being ingested all in one neat package. 5 00:00:33.783 --> 00:00:43.084 The integration parses through this information and builds out reports containing attributes, tags and related objects such as IoCs, CVEs and malware. 6 00:00:43.418 --> 00:00:46.880 It then relates the objects together so that everything is easily viewable in the threat library. 7 00:00:47.714 --> 00:00:52.010 Alright, so if we go ahead and look at the integration page under My Integrations 8 00:00:53.762 --> 00:00:55.305 We can search for Feedly. 9 00:00:56.723 --> 00:00:59.017 And we can have it open in a new tab. 10 00:01:01.436 --> 00:01:03.063 So this is the configuration page. 11 00:01:03.521 --> 00:01:08.068 We have the Feedly API Token. You would simply put your API token for anything in here. 12 00:01:08.318 --> 00:01:10.070 Then we have the API stream ID. 13 00:01:10.361 --> 00:01:16.076 Now you get this from Feedly itself and go to your team feeds here that you have built 14 00:01:16.201 --> 00:01:16.993 Select one 15 00:01:17.118 --> 00:01:20.997 Go to your options and go to sharing and it will show your stream ID. 16 00:01:21.414 --> 00:01:22.624 Go ahead and copy it over 17 00:01:23.166 --> 00:01:25.877 And you can paste that into your feedly API stream ID. 18 00:01:27.003 --> 00:01:31.883 We also have other ingestion options such as ingesting keywords as tags, attributes, or both 19 00:01:32.342 --> 00:01:36.262 and ingesting CVEs as indicators, vulnerabilities, or both. 20 00:01:38.223 --> 00:01:43.311 Then you can select how often you want this integration to run as well as the default indicator status. 21 00:01:44.062 --> 00:01:48.441 You would simply click enable and then hit save and you are ready to go 22 00:01:49.484 --> 00:01:53.738 I'll go ahead and check out the activity log we've been having this field running for a little while now. 23 00:01:54.447 --> 00:01:56.282 You can see that it ran recently. 24 00:01:56.616 --> 00:01:57.826 We have it running every hour. 25 00:01:58.618 --> 00:02:03.623 Holding one report with one indicator, one malware object and nine attributes. 26 00:02:04.332 --> 00:02:06.126 I think there is a better example here. 27 00:02:07.418 --> 00:02:13.675 This one for the one report 109 indicators some various objects and 31 report attributes. 28 00:02:14.425 --> 00:02:19.305 Because we have it running every hour, it doesn't always ingest something. 29 00:02:20.390 --> 00:02:23.560 If we go ahead and take a look at the threat library. 30 00:02:26.187 --> 00:02:29.691 You can see I already have a data collection selected. 31 00:02:29.732 --> 00:02:32.694 And it shows that in the last day we have 9 reports. 32 00:02:33.278 --> 00:02:35.905 If I go ahead and open all these, I have more these open already. 33 00:02:37.073 --> 00:02:40.034 Here you can see an example of a report that it has brought in. 34 00:02:40.243 --> 00:02:49.669 We have the attributes provided such as the topic and the affected software as well as various contexts from Feedly such as their helpful Feedly Leo summary 35 00:02:50.378 --> 00:02:54.591 and the source URL, which is where the article originated from. 36 00:02:55.633 --> 00:02:58.178 Down here we have the tags that are brought in. 37 00:02:58.636 --> 00:03:05.476 If we Scroll down, you can see the description displays the contents of the article, as it shows on the original source URL. 38 00:03:06.436 --> 00:03:11.858 And at the bottom, we have related objects such as the attack patterns, identities and malware. 39 00:03:12.567 --> 00:03:21.201 We also have indicators that can be used for scoring or enriching with operations or workflows, or to export to tools such as EDR tool or firewall. 40 00:03:21.868 --> 00:03:30.627 Now if we head to the dashboard, you can see I've just put together a quick dashboard for Feedly that displays reports brought in within the last day. 41 00:03:30.668 --> 00:03:35.131 As well as easily being able to see what those reports are about using the Leo summary. 42 00:03:35.173 --> 00:03:40.094 As well as context about those reports, such as the score that related indicators are being scored on 43 00:03:40.470 --> 00:03:42.430 Related Tags on reports 44 00:03:43.389 --> 00:03:47.810 As well as just in general, all ingested indicators or topics. 45 00:03:49.103 --> 00:03:53.399 And if you have any questions or need more info, you can head to ThreatQ.com. 46 00:03:53.650 --> 00:03:54.150 Thank you