Verisign iDefense is a closed-source threat intelligence feed available to all Spectre customers. This feed correlates iDefense IPs against your network's IPs to produce actionable lists of zombie devices and threat flows in your network.
To use iDefense, you'll need the iDefense license key provided by Lumeta. Look for this key in the original welcome email message you received from Lumeta Support. If you can't find your iDefense key, please contact us. To show the zombie devices in your network, you do not need NetFlow data. This dashboard is generated using native Spectre-indexed data. The iDefense feed is correlated against NetFlow data. The intersection of the two populates the threat_feed_ip table. Browse to Settings > Tables > threat_feed_ip > View to open the table.
To produce threat flow results, you'll need a single source of NetFlow data such as Gigamon NetFlow. Spectre can receive NetFlow from a single source. If you have multiples, consider using a NetFlow aggregator. You will also need to direct the NetFlow results to your Spectre Command Center. These topics are out-of-scope for Spectre documentation, but your Solutions Architect and Support can nevertheless help with implementation.
To configure the feed . . .
The NetFlow-capture service enables your Spectre Command Center to ingest NetFlow data. To enable NetFlow capture from the Spectre GUI: To enable NetFlow capture from the Spectre command-line interface: Configure the iDefense feed as follows: Enable NetFlow
The status of the service will change to Running.support service packetcapture start.
The label changes from a red No to a green Yes.
Feed is configured.