Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
253
Views
0
Helpful
3
Replies

Default Action Supported for Third-party integration feeds

MatthewHickey7355
Level 1
Level 1

‎03-07-2025 12:01 PM

My organization is ingesting third-party intelligence feeds into our FMC via STIX/TAXII. A default action of block is not supported for this delivery method. Because ours is a sparsely staffed team who fills many widely ranging IT roles, and the feeds we ingest often contain several thousands of observables, we can't feasibly keep up with the manual process of clicking each one and setting it to block. Can anybody confirm if there is a way to bulk edit observables under Integration>Sources>Observables? Or can switching from STIX/TAXII to ingesting a flat file help us get around not being able to block by default?

TAC, while usually helpful, hasn't been able to give me a straight answer and neither can Google. I see in some places on the web that a default block action is supported, and in other places straight-up contradictions of that.

Thanks

0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎03-07-2025 03:31 PM

This is not possible: https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/770/management-center-device-config-77/threat-intelligence-director.html

You cannot change the Action selection for TAXII sources.
Block is not an Action option for TAXII sources, as STIX data can contain complex indicators, 
which the system cannot block. Devices (elements) store and take action based on single observables; 
they cannot take action based on multiple observables.

Thank you for rating helpful posts!

0 Helpful

MatthewHickey7355
Level 1
Level 1
In response to nspasov

‎03-10-2025 04:21 AM

Hi,

Thanks, but I already knew you can't change the default action for STIX/TAXII sources. Which is why I posted this thread. I'm asking if there is any way to bulk edit them instead of having to do them all individually. OR will ingesting them with a flat format .txt file allow us to default the action to block?

0 Helpful

MatthewHickey7355
Level 1
Level 1

‎03-10-2025 10:54 AM

I believe I have found the answer to my own question.

In FMC if you go to Integration>Sources and then click on the + in the upper right corner, it brings up the Add Source window.

If you change Delivery to Upload, Type to Flat File, the action drop-down is no longer greyed out.

The supported file type is .txt. You will have to upload multiple files if you want to block different observable types. One file per observable type (i.e. IPv4, Domain, URL, SHA-256, etc.)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card