This is available now in 12.0 (LD). I've done some basic testing and it works!

Excellent. I've been weighing some feeds in anticipation.

Care to share which feeds you're looking at?

I'm in initial vetting on them, but you're welcome to take a look as well:

https://otx.alienvault.com/taxii/discovery

https://open.taxiistand.com/services/discovery
https://limo.anomali.com/api/v1/taxii/taxii-discovery-service/

As I can see, there is a feature key needed on the Ironport in order to use this. Is it expensive?

Hi, I tested it with evaluation licenses so I'm not sure but I believe there's no extra charge to consume threat feeds. Getting your hands on commercial external threat intelligence feeds is not included off course.

 

From the release notes:

If you are using the Classic licensing mode and you do not have an External Threat Feeds feature key, you must contact the Cisco Global Licensing Operations (GLO) team to obtain the feature key as follows:

1.Send an email to the GLO team (licensing@cisco.com) with the message subject as “Request for External Threat Feeds Feature Key”, and provide your Product Authorization Key (PAK) file and Purchase Order (PO) details in the email.

2.The GLO team provisions the feature key manually, and sends you an email with the license key to install on your appliance.

 

Note: If you switch to the Smart Licensing mode on your appliance, you are automatically provided with an External Threat Feeds feature key.

Hello askaerr,

I’m including a few sources I’ve come across in my research.

There are some free sources. It’s a matter of searching them out.
https://otx.alienvault.com/ I used some free from here. May need to dig or register
hailataxii.com offers some free feeds.
https://threatconnect.com/ >> professional level, possibly register for temp access.
There are also external 3rd party options to stand up your own server and retrieve content from public sources.
http://www.soltra.com/en/
This is a very intriguing topic which will draw you in for several hours of reading ☺.
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/look-how-easy-taxii-is/

Back to hailtaxii
Translating their content into the proper values within the ESA settings…
Hostname: hailataxii.com
Polling Path:taxi-discovery-service
Collection Name: (take this value from the list on their webpage)
They indicate HTTP >> >polling port
If you want credentials, they include the account > guest.

Hit that page for ideas. It’s very direct.

How to connect (from the webpage)
Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
The discovery service is located at http://hailataxii.com/taxii-discovery-service
Anonymous connections are accepted.
Clients that require login details can use HTTP-Basic user=guest, password=guest.
WHAT IS IT?

Hail a TAXII.com is a repository of Open Source Cyber Threat Intellegence feeds in STIX format.
There are currently 1107066 indicators, last updated Fri May 25 15:18:06 2018 UTC.

AVAILABLE FEEDS

* guest.Abuse_ch
* guest.CyberCrime_Tracker
* guest.EmergingThreats_rules
* guest.Lehigh_edu
* guest.MalwareDomainList_Hostlist
* guest.blutmagie_de_torExits
* guest.dataForLast_7daysOnly
* guest.dshield_BlockList
* guest.phishtank_com

HOW TO CONNECT

Our data is accessible via the TAXII-HTTP Message Protocol. (1.0 & 1.1)
The discovery service is located at http://hailataxii.com/taxii-discovery-service

Anonymous connections are accepted.
Clients that require login details can use HTTP-Basic user=guest, password=guest.

CONTACT US
For questions or comments, please contact us using info@hailataxii.com.

Hello Charella,

 

Could you please let us know, what is the recommended deployment

 

Usually we get a list of IOC, so we can have our server and add required IOC !

 

If you know more about that server, specs, required operating system, required software to define IOC, a complete guide for it, please share.

charella,

 

Have you entered those hailataxii values into CTR setup? I've tried those, and variations, and am consistently getting an error. This is as guest/guest or anonymous (no user); with or without a trailing slash on the polling path; etc. Use HTTPS is No (port 80).

 

A failure was encountered for the source 'HailATaxii-domain'. Reason for failure A poll for the source HailATaxii-domain was not initiated because the details of the source could not be fetched.

 

I'm having difficulty getting the hailataxii open source feed configured. I have followed the instructions from the website and even tried to use the configuration from the YouTube video. However our test machine won't accept the polling path and the email address for hailataxii is not found by O365. Is anyone still using hailataxii?

 

Are there any other open source polling paths available that don't require a taxii client to be configured?

 

Try the following config :

 

Source:   HailATaxii_7days

Hostname : hailataxii.com

Polling Path : /taxii-discovery-service

Collection name : guest.dataForLast_7daysOnly

Polling Interval : 1 hours

use HTTPS : no, port 80

 

I hope that will get you started.

 

-Marc