This topic has instructions for integrating CSE with a TAXII threat intelligence feed. In this configuration, CSE is a TAXII client, and polls a TAXII Server.
To integrate with a TAXII feed, consult the documentation for the feed. For example:
- If you are integrating Cloud SIEM with the Cybersecurity & Information Security Agency (CISA) TAXII feed, see the CISA AIS TAXII Server Connection Guide and Automated Indicator Sharing.
- If you are integrating Cloud SIEM with Anomali Threatstream, see Generating Your Own Threat Intelligence Feeds in ThreatStream on the Anomali blog.
About the integration
To integrate CSE with a TAXII feed, you configure the URL of the TAXII provider’s discovery service and a polling interval. At the configured interval, CSE uses the discovery service to look up the URL of the poll service, and then sends poll requests to that service, which then returns the indicators to CSE.
Leveraging indicators in rules
The integration allows you to enrich incoming Records with threat intel information, and leverage that information in CSE Rules. How does that work? CSE compares incoming Records with information from the threat feed. When there is a “match”, for instance when an IP address in a Record matches an IP address that the feed says is malicious, CSE adds relevant information to that Record. Because the threat intel information is persisted within Records, you can reference it downstream in both rules and search. The built-in rules that come with CSE will also automatically create a Signal for any Record with a match from your threat feed. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Turning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see Threat Intelligence in the About CSE Rules topic.
CSE supports TAXII v1.1 and v1.2.
Configure the integration
- Click the Content menu and select Threat Intelligence.
- On the Threat Intelligence page, click Add Source.
- On the Add New Source popup, click TAXII Feed.
- The Add Source page appears.
- Name. Enter a name for the feed.
- Description. Enter a description of the feed.
- URL. Enter the URL for the feed provider’s TAXII discovery service endpoint.
- Poll Interval. Enter the frequency at which you want to poll the feed for updates.
- Default Indicator TTL. If desired, specify a default TTL that will take effect for Indicators that don’t have a defined expiration.
- Max Lookback days. You can use this option to tell CSE how many days of data to fetch the first time you populate your list of indicators. By default, the first time you populate the list, CSE will look for all data from the feed for all time. Note that on subsequent updates, CSE will only consider data added to the feed since the last time it was polled.
- Collections. You can optionally enter a comma-separated list of the specific collections of indicators that you want to retrieve. (The collections available depend on your threat intel provider.) If you leave this field blank, all indicators will be queried.)
- Subscription ID. As required, an subscription ID to send to the TAXII provider in the poll request.
- Username. Enter the username for accessing the TAXII server.
- Password. Enter the password for accessing the TAXII server.
- Certificate. If required, drop the certificate for accessing the TAXII server into this field.
- Certificate Password. Enter the password for the certificate.
- Click Add TAXII Feed Source.