cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.1.0-227
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

9254
Views
30
Helpful
12
Replies
BVR EDV
Beginner

External Threat Feed Sources

Hi,

witch External Threat Feeds (ETF) Sources do you use on your ESA?

Are there any recommendations?

Kind regards

 

1 ACCEPTED SOLUTION

Accepted Solutions

One, get an account at https://otx.alienvault.com/



Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII



That will show you what's happening/how its structured...





In the upper right you should see your OTX key. Copy that.





So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...








View solution in original post

12 REPLIES 12
mattdrury
Beginner

I've experimented with a few public ones - abuse.ch, lehigh, phishtank - via hailataxii, but haven't found any so far that provide value beyond what ESA is doing for me.

I remain confident, though, and continue to look.

 

 

Ken Stieers
Advocate

Take a look at Anomoli OTX, AlienVault too.

 

 

 

 

Can you tell me what your configuration was to get OTX and AlienVault to work? I was not able to get the threat feed to setup.

 

One, get an account at https://otx.alienvault.com/



Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII



That will show you what's happening/how its structured...





In the upper right you should see your OTX key. Copy that.





So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...








View solution in original post

Thank you!

Thank you!

Hi Ken,

 

I have followed your ETF setup using otx.alienvault.com and the  ESA was able to poll the source.

How can I test whether the ETF is working? My difficulties to generate an email contain the threat.

 

Thanks.

Thanks Ken. I am able to configure the external threat feed on Cisco ESA. How to test this before using it in mail policy? Any guidance is much appreciated.

Hi there,

 

I would recommend a safe approach. Create three quarantines on your ESA or SMA.

 

TrapTAXIDomain

TrapTAXIFile

TrapTAXIURL

 

Create three message filter like the following three examples.

 

GUI_Trap_ThreatFeedURL: if (url-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "URLWhiteList", 1, 1)) { log-entry("--Trap TAXII URL--"); insert-header("X-IronPort-TF", "URL"); duplicate-quarantine("TrapURLTAXII"); }

 

GUI_Trap_ThreatFeedDomain: if (domain-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { log-entry("--Trap TAXII Domain--"); insert-header("X-IronPort-TF", "DOMAIN"); duplicate-quarantine("TrapDomainTaxii"); }

 

GUI_Trap_ThreatFeedHash: if (file-hash-etf-rule (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "")) { log-entry("--Trap TAXII Hash--"); insert-header("X-IronPort-TF", "FILE"); duplicate-quarantine("TrapFilehashTaxii"); }

 

Those three filters , once activated, will copy messages which match any of the three filters to the corresponding PVO. From there you can check and inspect if teh results make sense to you without impacting end user delivery for now.

 

You might need to repeat this excercie for different feeds and test them at least for 30 days before taking hard actions.

 

I hope that helps

 

-Marc

 

 

 

Here you go:

 

Hostname: otx.alienvault.com
Polling Path: /taxii/poll
Collection Name: user_AlienVault
Username / API Key: (provided from OTX)

Password: (anything - it's ignored)

Feed(s): guest.Abuse_ch, etc

Hi

 

Is it possible to view the entries/data inside that ETF ?

Not from the ESA.
You'll have to view it from a client like STAXX or other feed client.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (35%)

Content for Community-Ad