TIDE data can be uploaded to a profile associated with an account. Policies are used to control access to your organization's data and can be specified when the data is submitted. Data Policies allow organizations to control how their submitted data is shared with other organizations or groups. Infoblox can enable accessing and data sharing between organizations upon request. Policies can be used for multiple data submissions and are only visible within your organization. Data profiles are used to identify data in the platform from one or many data submissions. A data profile must be specified when data is submitted. Data profiles are associated with policies, which control who can access the data. When a data profile is created it must be associated with a policy.
Note |
---|
A dedicated service key for each data output is the recommended best practice. |
Users can submit threat indicators using the Cloud Services Portal or via the TIDE Data API. In order to submit data, the following is required:
...
Data Submission Formats
Note | ||
---|---|---|
| ||
Any unknown fields in a record will automatically go under an “extended” field for that record. This will occur after the submission is done. |
Threat Data Fields | |||
File-level fields | |||
profile | data profile id | ||
record_type | either host, ip, url, email, or hash | ||
external_id | string indicating an external ID to assign to the batch (optional) | ||
record | surrounds the individual record(s) in the XML and JSON formats | ||
Record-level fields | |||
Field Name | Description | ||
host | threat hostname | ||
ip | threat IP address | ||
url | threat URL | ||
hash | hash threat | ||
email threat | |||
detected | date/time threat was detected, in ISO 8601 format | ||
class | the threat's class, for example: Sinkhole | ||
property | the threat's property, for example: Sinkhole_SinkholedHost | ||
confidence | the threat's confidence score ranging from 0 - 100 (optional) | ||
domain | domain string (optional) | ||
duration | duration of the threat in XyXmXwXdXh format - the expiration date will be set to the detected date + this duration (optional) | ||
expiration | expiration date, in ISO 8601 format (optional) | ||
threat_level | the threat's level, ranging from 0 - 100 (optional) | ||
target | target of threat (optional) | ||
tld | top-level domain, string (optional) |
...
Code Block | ||||
---|---|---|---|---|
| ||||
{ "feed": { "profile": "abc_testSampleProfile", "record_type": "host", "record": [ { "host": "test-domain.org", "domain": "test-domain.org", "class": "CompromisedHost", "property" : "CompromisedHost_Generic", "detected": "2024-01-12T00:00:00.000Z", "duration": "90d", "confidence": 70, "threat_level": 80 }, { "host": "test-domain.net", "class": "Sinkhole", "property" : "Sinkhole_SinkholedHost", "detected": "2024-01-12T00:00:00.000Z", "expiration": "2024-03-01T00:00:00.000Z", "confidence": 30, "threat_level": 50 }] } } |
...