04-17-2019 03:53 AM
Hi,
witch External Threat Feeds (ETF) Sources do you use on your ESA?
Are there any recommendations?
Kind regards
Solved! Go to Solution.
07-23-2019 07:38 AM
04-25-2019 12:20 PM
I've experimented with a few public ones - abuse.ch, lehigh, phishtank - via hailataxii, but haven't found any so far that provide value beyond what ESA is doing for me.
I remain confident, though, and continue to look.
05-24-2019 03:17 PM
Take a look at Anomoli OTX, AlienVault too.
07-23-2019 06:57 AM
Can you tell me what your configuration was to get OTX and AlienVault to work? I was not able to get the threat feed to setup.
07-23-2019 07:38 AM
07-23-2019 08:28 AM
07-23-2019 08:28 AM
Thank you!
11-25-2019 12:59 PM
Hi Ken,
I have followed your ETF setup using otx.alienvault.com and the ESA was able to poll the source.
How can I test whether the ETF is working? My difficulties to generate an email contain the threat.
Thanks.
12-26-2019 09:55 PM
Thanks Ken. I am able to configure the external threat feed on Cisco ESA. How to test this before using it in mail policy? Any guidance is much appreciated.
12-27-2019 06:18 AM
Hi there,
I would recommend a safe approach. Create three quarantines on your ESA or SMA.
TrapTAXIDomain
TrapTAXIFile
TrapTAXIURL
Create three message filter like the following three examples.
GUI_Trap_ThreatFeedURL: if (url-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "URLWhiteList", 1, 1)) { log-entry("--Trap TAXII URL--"); insert-header("X-IronPort-TF", "URL"); duplicate-quarantine("TrapURLTAXII"); }
GUI_Trap_ThreatFeedDomain: if (domain-external-threat-feeds (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], ['mail-from', 'from', 'reply-to'], "Domain_BypassList")) { log-entry("--Trap TAXII Domain--"); insert-header("X-IronPort-TF", "DOMAIN"); duplicate-quarantine("TrapDomainTaxii"); }
GUI_Trap_ThreatFeedHash: if (file-hash-etf-rule (['Anomali', 'ISAC-XXX', 'Hail-A-Taxi'], "")) { log-entry("--Trap TAXII Hash--"); insert-header("X-IronPort-TF", "FILE"); duplicate-quarantine("TrapFilehashTaxii"); }
Those three filters , once activated, will copy messages which match any of the three filters to the corresponding PVO. From there you can check and inspect if teh results make sense to you without impacting end user delivery for now.
You might need to repeat this excercie for different feeds and test them at least for 30 days before taking hard actions.
I hope that helps
-Marc
07-23-2019 07:49 AM
Here you go:
Hostname: otx.alienvault.com
Polling Path: /taxii/poll
Collection Name: user_AlienVault
Username / API Key: (provided from OTX)
Password: (anything - it's ignored)
Feed(s): guest.Abuse_ch, etc
10-20-2021 10:14 PM
Hi
Is it possible to view the entries/data inside that ETF ?
10-22-2021 06:57 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide