You can add 5 types of Custom Sources.

  1. Custom List Feed
  2. Custom JSON Feed
  3. STIX/TAXII 2.1
  4. CSV
  5. Manual 


Custom List Feed

A custom list feed is a URL that publishes data in the list format.

1.1.1.1
2.2.2.2
3.3.3.3

You need to input the URL and set the check interval.  Please be mindful of the check interval and choose the value appropriately.



Custom JSON Feed

JSON feeds consist of multiple elements with no set structure.  Every feed can be organized differently.


In order to filter a JSON feed, you can specify filter parameters

  • JSON Filter Target
    • Input type: string
    • Required
    • This is the "Key" in the key, value pair where the value is the IP address(es) you want.
  • JSON Filter Target Parent
    • Input type: string
    • Optional
    • This is the parent "Key" that that target is under
  • JSON Filter Target Sibling
    • Input type: JSON
    • Optional
    • This can be 1 or more siblings of the target that also are under the parent
  • JSON Filter Target Parent Sibling
    • Input type: JSON
    • Optional
    • This can be 1 or more siblings of the target's parent


Here is an example of filtering the Azure JSON feed.

In this case, in order to filter out all the Azure IP addresses that run the ActionGroup function, we need to specify 3 JSON filters

  1. JSON Filter Target: addressPrefixes
  2. JSON Filter Target Parent: properties
  3. JSON Filter Target Parent Sibling: {"name": "ActionGroup"}
    • Though it is not needed in this case, you can specify multiple sibling by using a filter such as this
      •  {"name": "ActionGroup", "id": "ActionGroup"} 

We do not need to specify the JSON Filter Target Sibling but it is indicated on the diagram so you know what it is.


When building JSON filters first ask yourself, what do I want?  Then examine the JSON data to decide how specific you need your filters to be.



STIX/TAXII 2.1

Parameters

  • Collection URL
    • The collection URL must in the following format: https:<some hostname>/<collection-id>/objects/
    • The collection ID must be provided
  • STIX Target Patterns

    • This is the data you want to extract from the feed.


CSV

CSV feeds are comma separated, with each entry on a new line.

Parameters

  • CSV Data Column
    • Which column contains the data to be extracted
  • CSV Comment Column
    • If you wish to map a column as a comment, then put the number of that column. Leave 0 to do nothing.
  • CSV Comment Character
    • What character should be used to indicate a comment in the data list? # used as default.



Manual

This is manual list of IP address, domains or URLs.  It is what you want it to be.

Most frequently, manual sources are used to be able to create block or allow lists that are included in an EDL.