User Guide
View breach indicators
The ngfcti query extension command allows you to retrieve Financial Security Service FCTI threat information published during a specific time period.
Detect breach indicators
The IP addresses, domains, URLs, and file hashes present in the collected data can be used to determine if threat information exists for that item. To do this, you need to enable the NGFCTI feed in the 'Policy' > 'Threat Intelligence' menu.
Detect breach indicators using matchfeed query command
You can select the ngfcti feed in the matchfeed query command to see if a given IP address/URL/domain/file hash value has a corresponding breach indicator.
In the matchfeed query command, enter the desired NGFCTI feed name in the name option and the IP address/URL/domain/file hash value field names to search for in the fields field.
- ngfcti_ip
- ngfcti_domain
- ngfcti_url
- ngfcti_md5
- ngfcti_sha256
Against the data you've collected, you can run the matchfeed command to see if any breach indicators exist for that data.
In existing detection scenarios, if you use rules that include IP addresses in the reputation database or use the matchfeed type=ip query command, the NGFCTI feed is reflected without any configuration.
- Real time detection
- Batch detection
