Overview of External Threat Feeds
The External Threat Feeds (ETF) framework allows the email gateway to consume external threat information in:
STIX format communicated over TAXII protocol.
The ability to consume external threat information in the email gateway, helps an organization to:
Proactively respond to cyber threats such as, malware, ransomware, phishing attacks, and targeted attacks.
Subscribe to local and third-party threat intelligence sources.
Improve the efficacy of the email gateway.
You need a valid feature key to use the ETF feature on your email gateway. For information on how to obtain a feature key, contact your Cisco sales representative.
STIX (Structured Threat Information eXpression) is the industry standard, structured language to represent cyber threat information. A STIX source consists of an indicator that contains a pattern used to detect malicious or suspicious cyber activity.
TAXII (Trusted Automated eXchange of Indicator Information) defines a set of specifications to exchange cyber threat information via services (TAXII servers) across different organizations or product lines.
The following versions of STIX/TAXII are supported for this release - STIX 1.1.1 and 1.2 with TAXII 1.1.
The Cisco SecureX Threat Response portal allows you to create custom feeds for the continuous gathering of observables and to consume them in your email gateway using the feed URL. A feed is a simple list of observables in JSON format. The feeds are created and managed in the Intelligence > Feeds page in the SecureX Threat Response portal.
Following is a list of STIX and SecureX Threat Response Indicators of Compromise (IOCs) supported for this release:
File Hash Watchlist (describes a set of hashes for suspected malicious files)
IP Watchlist (describes a set of suspected malicious IP addresses)
Domain Watchlist (describes a set of suspected malicious domains)
URL Watchlist (describes a set of suspected malicious URLs)