topic Re: Default Action Supported for Third-party integration feeds in Network Security

Default Action Supported for Third-party integration feeds

MatthewHickey7355 — Fri, 07 Mar 2025 20:01:56 GMT

My organization is ingesting third-party intelligence feeds into our FMC via STIX/TAXII. A default action of block is not supported for this delivery method. Because ours is a sparsely staffed team who fills many widely ranging IT roles, and the feeds we ingest often contain several thousands of observables, we can't feasibly keep up with the manual process of clicking each one and setting it to block. Can anybody confirm if there is a way to bulk edit observables under Integration>Sources>Observables? Or can switching from STIX/TAXII to ingesting a flat file help us get around not being able to block by default?

TAC, while usually helpful, hasn't been able to give me a straight answer and neither can Google. I see in some places on the web that a default block action is supported, and in other places straight-up contradictions of that.

Thanks

Re: Default Action Supported for Third-party integration feeds

nspasov — Fri, 07 Mar 2025 23:31:24 GMT

This is not possible: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/threat-intelligence-director.html

You cannot change the Action selection for TAXII sources.
Block is not an Action option for TAXII sources, as STIX data can contain complex indicators, 
which the system cannot block. Devices (elements) store and take action based on single observables; 
they cannot take action based on multiple observables.

Thank you for rating helpful posts!

Re: Default Action Supported for Third-party integration feeds

MatthewHickey7355 — Mon, 10 Mar 2025 11:21:27 GMT

Hi,

Thanks, but I already knew you can't change the default action for STIX/TAXII sources. Which is why I posted this thread. I'm asking if there is any way to bulk edit them instead of having to do them all individually. OR will ingesting them with a flat format .txt file allow us to default the action to block?

Re: Default Action Supported for Third-party integration feeds

MatthewHickey7355 — Mon, 10 Mar 2025 17:54:12 GMT

I believe I have found the answer to my own question.

In FMC if you go to Integration>Sources and then click on the + in the upper right corner, it brings up the Add Source window.

If you change Delivery to Upload, Type to Flat File, the action drop-down is no longer greyed out.

The supported file type is .txt. You will have to upload multiple files if you want to block different observable types. One file per observable type (i.e. IPv4, Domain, URL, SHA-256, etc.)

Re: Default Action Supported for Third-party integration feeds

Danny Dulin — Thu, 23 Oct 2025 16:02:37 GMT

@MatthewHickey7355 What's the benefit of doing the flat file the way you describe vs. creating a security intelligence list object and and adding to the Security Intelligence section of the Access Control Policy?