Ingest External Data Feeds

Before beginning this procedure, you'll need the URL to an open-source data feed.

Process

1. Create a "spec" file of column headings.

Open the open-source data feed.

Identify the column heads and separation symbol.

Column Heads: Separation Symbol:

Firstseen (UTC),
Threat,
Malware,
Host,
URL,
Status,
Registrar,
IP address(es),
ASN(s),
Country
comma

Column Heads:	Separation Symbol:
Firstseen (UTC), Threat, Malware, Host, URL, Status, Registrar, IP address(es), ASN(s), Country	comma

In your favorite text-edit application, update spec.xml to contain the column heads you need.

2. Create a "sample_data.txt" file of column data.

Still in your text-edit application, create a sample_data.txt file that contains one or more rows of data from the feed.

3. Import your spec and sample data files to Asset Manager's HDFS data store.

Log in to Asset Manager Command Center using your browser interface.

Go to Settings > Tables > Add Table.

In the Name field, enter a descriptive name for the table you are creating such as ransomware_tracker_feed.

In the Table Type field, select Managed Primary Table.

At your option, you can add Tags to help others find the table and a Description for the purpose of the table.

Browse to and then select the spec.xml and sample_data.txt files.

Click Next.
The column headings for your table display, ordered alphabetically. Review the values listed in the Field column to confirm that they match your spec.xml.

Click the Value Index checkbox for those fields you want to HDFS to index immediately. If you do not check any items in the Value Index column, your table with still be created, but not indexed.

Click Create Table.
The table structure is created in the Asset Manager's HDFS data store.

4. Insert feed details to Asset Manager's PostgreSQL database and confirm the addition.

Log in to the CLI of your Asset Manager Command Center.

At the command-line prompt, enter support db.
You now have access to Asset Manager's PostgreSQL database.

Insert the feed details into Asset Manager's PostgreSQL database using the Insert command. The labels will remain the same from feed to feed. The values for each label will need to be customizer for your feed. Here's a sample entry:
insert into system.feed(name, shortname, enabled, overwrite, url, key, filename, tablename, pipelinename, pollinterval) values ('ransomware-tracker', 'ransomware', true, true, 'https://ransomwaretracker.abuse.ch', '','/feeds/csv/', 'Asset Manager.public.ransomware_tracker_feed', 'ransomware',1440);

Make sure the insertion was received by entering
select * from system.feed where name ='ransomware-tracker';A response indicates that Asset Manager's database has received the insertion.

To validate the connection, restart the Asset Manager API service by entering:
support service apirestart The feed will begin to populate and records will very soon be available in the Asset Manager GUI.

5. View the table you created in Asset Manager to ensure that it displays properly.

In the Asset Manager, go to Settings > Tables.

Select the ransomware_tracker_feed table.

Check the number of records present to confirm that the database has been populated.

Click View.
The table displays. Asset Manager has ingested an external data feed.