Overview of External Threat Feeds
The External Threat Feeds (ETF) framework allows the email gateway to consume external threat information in STIX format communicated over TAXII protocol.
The ability to consume external threat information in the email gateway, helps an organization to:
-
Proactively respond to cyber threats such as, malware, ransomware, phishing attacks, and targeted attacks.
-
Subscribe to local and third-party threat intelligence sources.
-
Improve the efficacy of the email gateway.
You need a valid feature key to use the ETF feature on your email gateway. For information on how to obtain a feature key, contact your Cisco sales representative.
STIX (Structured Threat Information eXpression) is the industry standard, structured language to represent cyber threat information. A STIX source consists of an indicator that contains a pattern used to detect malicious or suspicious cyber activity.
The following is a list of STIX Indicators of Compromise (IOCs) supported for this release:
-
File Hash Watchlist (describes a set of hashes for suspected malicious files)
-
IP Watchlist (describes a set of suspected malicious IP addresses)
-
Domain Watchlist (describes a set of suspected malicious domains)
-
URL Watchlist (describes a set of suspected malicious URLs)
TAXII (Trusted Automated eXchange of Indicator Information) defines a set of specifications to exchange cyber threat information via services (TAXII servers) across different organizations or product lines.
The following versions of STIX/TAXII are supported for this release - STIX 1.1.1 and 1.2 with TAXII 1.1.