Solved: Re: External Threat Feed Sources

BVR EDV · ‎04-17-2019

Hi,

witch External Threat Feeds (ETF) Sources do you use on your ESA?

Are there any recommendations?

Kind regards

Ken Stieers · ‎07-23-2019

One, get an account at https://otx.alienvault.com/

Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII

That will show you what's happening/how its structured...

In the upper right you should see your OTX key. Copy that.

So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...

View solution in original post

mattdrury · ‎04-25-2019

I've experimented with a few public ones - abuse.ch, lehigh, phishtank - via hailataxii, but haven't found any so far that provide value beyond what ESA is doing for me.

I remain confident, though, and continue to look.

Ken Stieers · ‎05-24-2019

Take a look at Anomoli OTX, AlienVault too.

juvarebk · ‎07-23-2019

Can you tell me what your configuration was to get OTX and AlienVault to work? I was not able to get the threat feed to setup.

Ken Stieers · ‎07-23-2019

One, get an account at https://otx.alienvault.com/

Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII

That will show you what's happening/how its structured...

In the upper right you should see your OTX key. Copy that.

So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...

juvarebk · ‎07-23-2019

Thank you!

juvarebk · ‎07-23-2019

Thank you!

ivy.liao@telus.com · ‎11-25-2019

Hi Ken,

I have followed your ETF setup using otx.alienvault.com and the ESA was able to poll the source.

How can I test whether the ETF is working? My difficulties to generate an email contain the threat.

Thanks.

Anandk23 · ‎12-26-2019

Thanks Ken. I am able to configure the external threat feed on Cisco ESA. How to test this before using it in mail policy? Any guidance is much appreciated.

marc.luescherFRE · ‎12-27-2019

Hi there,

I would recommend a safe approach. Create three quarantines on your ESA or SMA.

TrapTAXIDomain

TrapTAXIFile

TrapTAXIURL

Create three message filter like the following three examples.

GUI_Trap_ThreatFeedURL: if (url-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "URLWhiteList", 1, 1)) { log-entry("--Trap TAXII URL--"); insert-header("X-IronPort-TF", "URL"); duplicate-quarantine("TrapURLTAXII"); }

GUI_Trap_ThreatFeedDomain: if (domain-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { log-entry("--Trap TAXII Domain--"); insert-header("X-IronPort-TF", "DOMAIN"); duplicate-quarantine("TrapDomainTaxii"); }

GUI_Trap_ThreatFeedHash: if (file-hash-etf-rule (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "")) { log-entry("--Trap TAXII Hash--"); insert-header("X-IronPort-TF", "FILE"); duplicate-quarantine("TrapFilehashTaxii"); }

Those three filters , once activated, will copy messages which match any of the three filters to the corresponding PVO. From there you can check and inspect if teh results make sense to you without impacting end user delivery for now.

You might need to repeat this excercie for different feeds and test them at least for 30 days before taking hard actions.

I hope that helps

-Marc

mattdrury · ‎07-23-2019

Here you go:

Hostname: otx.alienvault.com
Polling Path: /taxii/poll
Collection Name: user_AlienVault
Username / API Key: (provided from OTX)

Password: (anything - it's ignored)

Feed(s): guest.Abuse_ch, etc

AbedB · ‎10-20-2021

Hi

Is it possible to view the entries/data inside that ETF ?

Ken Stieers · ‎10-22-2021

Not from the ESA.
You'll have to view it from a client like STAXX or other feed client.