Ransomware TAXII Feed Activation

Overview

The ReversingLabs Ransomware Feed integrates curated ransomware-related indicators directly into Anomali ThreatStream.

For more details on the contents of the ransomware feed, view the TAXII Ransomware Feed documentation, or visit the ReversingLabs Ransomware Feed product solution page.

info

Did you know we offer a 30 day free trial? See the Trial Activation section for details.

Getting Started

Existing Ransomware Feed Customers

If you're already subscribed to the ransomware feed, retrieve your credentials and proceed to Configure ThreatStream TAXII Site Settings.

Trial Activation

To start a 30-day trial through the Anomali ThreatStream App Store:

1. Log in to ThreatStream
2. Click App Store in the navigation bar.
3. Search "ReversingLabs" in the search bar.
4. Click Get Access under the "ReversingLabs - Ransomware and Related Tools Intel List" card.

5. Read the evaluation agreement.
6. Ensure Agree is checked.
7. Click Request a Trial.

After submitting the request, a member of the ReversingLabs support team will generate trial credentials for the feed.

Configure TAXII Site Settings

After obtaining credentials for the Ransomware TAXII feed, configure ThreatStream TAXII site settings to start pulling indicators. The site points to a discovery URL for a TAXII server, and retrieves all available feeds/collections.

1. Click the settings gear icon in the top-right corner.
2. In the settings menu, click TAXII.
3. Click Actions → Add Site.

4. Enter the following information:

   • Name: ReversingLabs TAXII feeds
   • TAXII Version: TAXII 2.1
   • Discovery URL: https://data.reversinglabs.com/api/taxii/taxii2
   • Use Site SSL Verification: Yes
   • Basic Authentication: Yes
   • Username: Your ransomware feed username.
   • Password: The password associated with the username above.
   • SSL Two-Way Certificate: No

warning

If you subscribe to multiple ReversingLabs feeds, ensure your credentials work across all intended collections.

A successful configuration will display a green checkmark next to the Discovery card.

After configuring the site, you'll be redirected to the site details. If configured correctly, you should see a green checkmark icon for the Discovery card.

Create a TAXII Feed

Next, create a TAXII feed for indicators to be associated with. These provide a way to store the incoming indicators into a single location within ThreatStream.

1. From the TAXII Settings page, click the TAXII Feeds tab.
2. Click the Actions button, and then New TAXII Feed.

3. Enter the following information:

   • Name: A name for the feed.
   • Visibility: Default to My Organization.
   • Expiration Date: Default to 90 days.
   • Confidence: Leave as default.

4. Click Save to continue.

Configure Collection Polling

1. After configuring the TAXII site and creating a TAXII feed, navigate back to the sites tab, and click the side details button:

2. All available collections are listed in the left sidebar, under the site name. Click the item labeled https://data.reversinglabs.com/api/taxii/ransomware-api-root/.

note

If credentials are invalid for a collection, a 403 error message will appear.

1. Click Edit next to the username.

2. Select Use API Root Specific credentials, Use Site SSL Verification, and Basic Authentication.
3. Provide the correct username and password.

3. Navigate the Poll Collections tab.
4. Locate the collection labeled Reversinglabs Ransomware Collection.
5. Click Configure.

6. Enter the following information in the collection polling configuration:

   • TAXII Feed: Select the feed created in the Create a TAXII Feed section.
   • Subscription ID: Enter any ID value. Optional.
   • Interval: Enter the interval in hours or days in which ThreatStream will poll for new indicators. Recommended setting is every 1 day.
   • Start From: Select the earliest date to retrieve indicators. Recommended setting is 30 days back from the current date.

7. After configuring the polling settings, click Save and Run Now to start polling for indicators.

After a short time, ransomware indicators should begin appearing in ThreatStream:

View Indicators

To view indicators from the Ransomware Feed:

1. Log in to ThreatStream.
2. Hover over the “Analyze” menu item, and then click Observables.
3. Filter by Feed/Source for the name of the feed created earlier: