The workflow for using scoutTHREAT intelligence with scoutPRIME is detailed in the steps below.
Ensure that you have inserted your scoutPRIME API Key first before proceeding, see Adding a scoutPRIME API Key.
1. Select the Threat Actor object you are interested in from the page's list. In this example, we will select "Sofacy".
2. Click on the PRIME icon at the top of the page.
3. To create a scoutPRIME collection click on the plus sign icon.
4. Provide a name for your new collection, then checkmark which Observable objects (e.g., IPv4, IPv6, domain name) from the Threat Actor object you would like to add to the collection. Click Create when you are finished.
NOTE: If you provide the name of a collection that already exists in scoutPRIME, you will be prompted to provide a new, unique name.
5. A banner will display confirming that the collection was created successfully and the number of Observables objects from the Threat Actor profile that were added.
6. To view the collection in scoutPRIME, click the clipboard icon for View scoutPRIME link(s)
7. When you click the link you will be taken to your scoutPRIME account's Collections page.
8. On the scoutPRIME's Collections page, you will see the Threat Actor information you exported from scoutTHREAT. The links bar below the collection's name will show the number of Observable objects imported from the Threat Actor profile.
In this example, we see that 3 IPv4 addresses were imported, click on the link.
9. The next page will display the list of IPv4 addresses collected.
10. Click on the TYPES drop-down menu to select and display also the IPv6 addresses that were collected.