Security Feeds
The Cisco Secure Access Security Feeds API enables you to create and manage the security feeds for the integrated third-party and custom security vendors. For more information, see Supported Security Vendors.
When you create a security feed, Secure Access adds a destination list for the security feed. The security feed's destination list has the thirdparty_block access type and bundleTypeId of 1. The name of the destination list is the name of the security feed appended with -destination_list.
You can add domains to the destination list for the security feed using the Destination Lists API. When you add the domains, Secure Access evaluates each domain and determines whether to block the domain. Domains that are not blocked by Secure Access are not added to the destination list for the security feed.
You can find the Security Feeds API endpoints under the policies scope in the Secure Access API.
Note: The Security Feeds API is available only for organizations that have a subscription to the Cisco Secure Access DNS packages.
Overview
- How Secure Access Manages Domains in the Security Feed
- Rate Limits for Security Feeds
- Request Headers
- Supported Security Vendors
- Requirements for Creating a Security Feed
- Comparison: Destination Lists API and Security Feeds API
- Security Feeds API Endpoints
How Secure Access Manages Domains in the Security Feed
When a third-party or custom security vendor adds domains in Secure Access from a security feed, Secure Access determines whether to block the domains for the organization.
- When you add domains to the destination list, use the
destinationListIdfor the security feed's destination list. For more information, see Destination Lists API. - Secure Access reviews each domain added to the destination list for the security feed. If Cisco Secure Access Investigate assigns a Popularity 90 day normalized score below 40 for the domain, Secure Access adds the domain to the vendor's
thirdparty_blockdestination list and blocks the domain.
Rate Limits for Security Feeds
Secure Access enables rate limits on the Security Feeds API endpoints. For more information, see Rate Limits > Security Feeds.
Request Headers
Unless specified, the Secure Access API endpoints use JSON for all requests and responses.
Note: For POST, PUT, and PATCH operations, set the HTTPContent-Typeheader toapplication/jsonin your API request.
Supported Security Vendors
Secure Access supports and integrates with certain third-party and custom security vendors.
| Security Vendor | Feed ID |
|---|---|
| Custom Feed | 0 |
| FireEye | 1 |
| Cyphort | 3 |
| ZeroFOX | 5 |
| ThreatQ | 8 |
| ThreatConnect | 10 |
| Cisco AMP Threat Grid | 11 |
Requirements for Creating a Security Feed
- Secure Access supports only fully-qualified domain names (FQDNs) in
thirdparty_blockdestination lists. - You can add at most 100 domains from a security feed in the body of a Destination Lists API request.
- You can not delete a third-party security vendor in Secure Access, but you can disable the security feed for the security vendor.
- You can delete a custom security vendor that you added in Secure Access.
- You can create at most ten custom security vendor integrations.
Required Parameters
- vendorId—The ID of the vendor is required only for third-party security vendors.
- name—The name of the security vendor.
Optional Parameters
- enabled—Specify whether to enable the security feed. Set the
enabledfield toYfor enable orNfor disable. - apiKey—The API key is optional and only certain third-party or custom security vendors require an API key for the integration. Cisco AMP Threat Grid requires an API key to create the security feed.
Comparison: Destination Lists API and Security Feeds API
You can manage domains with the Secure Access Destination Lists API and Security Feeds API.
The Secure Access Destination Lists API enables you to create and manage destinations in Allow and Block destination lists. You can add or delete destinations and customize destination lists. A destination is an IP address (IPv4 and IPv6), URL, or domain.
The Secure Access Security Feeds API enables you to create and manage the security feeds for integrated third-party and custom security vendors. Secure Access creates a destination list for the security feed. The organization adds domains to the destination list for the security feed and then Secure Access determines whether to block the domains in the security feed.
Security Feeds API Endpoints
- List Security Feeds
- Create Security Feed
- Get Security Feed
- Update Security Feed
- Delete Security Feed
Contact: Cloud Security Developer Community