03-20-2017 12:29 AM
Hi,
Does Cisco ESA solution has support for STIX/TAXII API ?
10-29-2019 12:10 PM
Awesome!! That worked - Thanks for your help Marc!!
10-30-2019 08:31 AM
Does the message tracking detail indicate if a message was blocked due to matching criteria on a content filter / HAT list with external threat feed input?
I'm asking because I would like to create a validation plan in my test environment to see how the threat feeds are affecting traffic.
10-30-2019 09:05 AM
10-30-2019 09:43 AM
You need to do some manual work for this to be easy for you. But first a warning, a lot of the free STIX/TAXII feeds are not the quality they should be. I would not take any decision only based on the results of a STIX /TAXI feed base don experience. Some of the better paid ones can be fully trusted.
Create three Policy Quarantines
TrapURLTAXII
TrapURLDomain
TrapURLFiles
then create content filters like :
TrapURLTaxii: if (url-external-threat-feeds (['HailATaxii_7days'], "", 1, 1)) { duplicate-quarantine("TrapURLTAXII"); log-entry("--TrapURLTAXII--"); }
TrapDomainTaxii: if (domain-external-threat-feeds (['HailATaxii_7days'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { duplicate-quarantine("TrapDomainTaxii"); log-entry("--TrapDomainTAXII--"); }
TrapFileTaxii: if (file-hash-etf-rule (['HailATaxii_7days'], "")) { duplicate-quarantine("TrapFilehashTaxii"); log-entry("--TrapFileTAXII--"); }
That way you can test in production without impacting life traffic.
Now you can either look at your hits in the 3 quarantines or grep the --string-- in mail_logs using CLI.
I hope that helps
-Marc
10-30-2019 09:54 AM
05-05-2021 04:24 AM - edited 05-06-2021 09:55 AM
I will move deeper into using APIs/OS later. But to reply your query - this became mainly consumer API/OS associated page. Not so much approximately opening up and growing OSS for community and network API.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide