Use the JSON feed integration to fetch indicators from a JSON feed. This integration allows for a wide variety of user configuration to support different types of JSON feeds.
Configure JSON Feed on Demisto
Navigate to Settings > Integrations > Servers & Services.
Search for JSON feed.
Click Add instance to create and configure a new integration instance.
Parameter Description Name A meaningful name for the integration instance. Fetch indicators Whether to fetch indicators, if checked. Indicator Reputation The reputation applied to indicators from this integration instance. The default value is "Bad". Source Reliability The reliability of the source providing the intelligence data. The default value is "C - Fairly reliable" Traffic Light Protocol Color The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp Indicator Expiration Method The method by which to expire indicators from this feed for this integration instance. Indicator Expiration Interval How often to expire the indicators from this integration instance (in minutes). This only applies if the
feedExpirationPolicyis set to "interval". The default value is 20160 (two weeks).
Feed Fetch Interval How often to fetch indicators from the feed for this integration instance (in minutes). The default value is 60. URL The URL of the feed. Auto detect indicator type Whether a type auto detection mechanism will take place for each indicator, if checked. Indicator Type The type of the indicator in the feed. This is relevant only if
Auto detectis not checked.
Username + Password The credentials used to access feeds that require basic authentication. These fields also support the use of API key headers. To use API key headers, specify the header name and value in the following format:
_header:<header_name>in the Username field and the header value in the Password field.
JMESPath Extractor The JMESPath expression for extracting the indicators from. You can check the expression in the JMESPath site to verify this expression will return the following array of objects. JSON Indicator Attribute The JSON attribute whose value is the indicator. The default is "indicator". Bypass exclusion list Whether the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.
Click Test to validate the URLs and connection.
IP address ranges from Amazon AWS will be used as examples. The feed will ingest indicators of the CIDR type. These are the feed instance configuration parameters for our example.
Auto detect indicator type: Checked.
Indicator Type - Leave this empty and the system will identify the indicator type.
Credentials - This feed does not require authentication.
The following parameters will be configured based on the feed in the web browser.
JMESPath Extractor - prefixes[?service=='AMAZON'] This means that the desired objects to extract the indicators from is
prefixes, and the objects will be filtered by where the field
service is equal to
JSON Indicator Attribute - The
At this point, an instance for the IP ranges from Amazon AWS has been successfully configured. After
Fetches indicators have been enabled, the instance will start pulling indicators.
Mapping in the integration instance, the field names we previously configured can be mapped to the actual indicator fields (except
value which is the indicator value).
We can use
Set up a new classification rule using actual data from the feed.
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
Get indicators from the feed
Gets the feed indicators.
|limit||The maximum number of results to return. The default value is 50.||Optional|
There is no context output for this command.