Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14154
Views
30
Helpful
12
Replies

External Threat Feed Sources

Go to solution
BVR EDV
Level 1
Level 1

‎04-17-2019 03:53 AM

Hi,

witch External Threat Feeds (ETF) Sources do you use on your ESA?

Are there any recommendations?

Kind regards

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to juvarebk

‎07-23-2019 07:38 AM

One, get an account at https://otx.alienvault.com/



Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII



That will show you what's happening/how its structured...





In the upper right you should see your OTX key. Copy that.





So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...








View solution in original post

12 Replies 12

Go to solution
mattdrury
Level 1
Level 1

‎04-25-2019 12:20 PM

I've experimented with a few public ones - abuse.ch, lehigh, phishtank - via hailataxii, but haven't found any so far that provide value beyond what ESA is doing for me.

I remain confident, though, and continue to look.

 

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎05-24-2019 03:17 PM

Take a look at Anomoli OTX, AlienVault too.

 

 

 

 

Go to solution
juvarebk
Level 1
Level 1
In response to Ken Stieers

‎07-23-2019 06:57 AM

Can you tell me what your configuration was to get OTX and AlienVault to work? I was not able to get the threat feed to setup.

 

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to juvarebk

‎07-23-2019 07:38 AM

One, get an account at https://otx.alienvault.com/



Click on API in the top menu.

There's a set of tabs below the header (Resoucres, Docs, TAXII, Example API Uses), select TAXII



That will show you what's happening/how its structured...





In the upper right you should see your OTX key. Copy that.





So, make sure you've enabled the Threat Feeds under Security Services.

Then in Mail Policies/External Threat Feeds Manager, click on Add Source.

Give it a name

Host name is "otx.alienvault.com"

Polling path is "/taxii/poll"

Collection name is "user_AlienVault"

Interval 1 hour

Age 30 days

Time span 30 days

Use HTTPS

User creds, basic, username is your key, password is anything...








Go to solution
juvarebk
Level 1
Level 1
In response to Ken Stieers

‎07-23-2019 08:28 AM

Thank you!
0 Helpful

Go to solution
juvarebk
Level 1
Level 1
In response to Ken Stieers

‎07-23-2019 08:28 AM

Thank you!

0 Helpful

Go to solution
ivy.liao@telus.com
Level 1
Level 1
In response to Ken Stieers

‎11-25-2019 12:59 PM

Hi Ken,

 

I have followed your ETF setup using otx.alienvault.com and the  ESA was able to poll the source.

How can I test whether the ETF is working? My difficulties to generate an email contain the threat.

 

Thanks.

0 Helpful

Go to solution
Anandk23
Level 1
Level 1
In response to Ken Stieers

‎12-26-2019 09:55 PM

Thanks Ken. I am able to configure the external threat feed on Cisco ESA. How to test this before using it in mail policy? Any guidance is much appreciated.

0 Helpful

Go to solution
marc.luescherFRE
Spotlight
Spotlight
In response to Anandk23

‎12-27-2019 06:18 AM

Hi there,

 

I would recommend a safe approach. Create three quarantines on your ESA or SMA.

 

TrapTAXIDomain

TrapTAXIFile

TrapTAXIURL

 

Create three message filter like the following three examples.

 

GUI_Trap_ThreatFeedURL: if (url-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "URLWhiteList", 1, 1)) { log-entry("--Trap TAXII URL--"); insert-header("X-IronPort-TF", "URL"); duplicate-quarantine("TrapURLTAXII"); }

 

GUI_Trap_ThreatFeedDomain: if (domain-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { log-entry("--Trap TAXII Domain--"); insert-header("X-IronPort-TF", "DOMAIN"); duplicate-quarantine("TrapDomainTaxii"); }

 

GUI_Trap_ThreatFeedHash: if (file-hash-etf-rule (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "")) { log-entry("--Trap TAXII Hash--"); insert-header("X-IronPort-TF", "FILE"); duplicate-quarantine("TrapFilehashTaxii"); }

 

Those three filters , once activated, will copy messages which match any of the three filters to the corresponding PVO. From there you can check and inspect if teh results make sense to you without impacting end user delivery for now.

 

You might need to repeat this excercie for different feeds and test them at least for 30 days before taking hard actions.

 

I hope that helps

 

-Marc

 

 

 
0 Helpful

Go to solution
mattdrury
Level 1
Level 1
In response to juvarebk

‎07-23-2019 07:49 AM

Here you go:

 

Hostname: otx.alienvault.com
Polling Path: /taxii/poll
Collection Name: user_AlienVault
Username / API Key: (provided from OTX)

Password: (anything - it's ignored)

Feed(s): guest.Abuse_ch, etc

0 Helpful

Go to solution
AbedB
Level 1
Level 1
In response to mattdrury

‎10-20-2021 10:14 PM

Hi

 

Is it possible to view the entries/data inside that ETF ?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to AbedB

‎10-22-2021 06:57 AM

Not from the ESA.
You'll have to view it from a client like STAXX or other feed client.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents