Threat Intelligence Feeds
The Cisco Secure Access Threat Intelligence Feeds API enables you to create and manage the threat feeds for the integrated third-party and custom security vendors. For more information, see Supported Security Vendors.
When you create a threat feed, Secure Access adds a destination list for the integration of the threat feed. The threat feed's destination list has the thirdparty_block access type and bundleTypeId of 1. The name of the destination list is the name of the threat feed appended with -destination_list.
You can add domains to the threat feed's destination list using the Destination Lists API. When you add the domains, Secure Access evaluates each domain and determines whether to block the domain. Domains that are not blocked by Secure Access are not added to the threat feed's destination list.
You can find the Threat Intelligence Feeds API endpoints under the policies scope in the Secure Access API.
Overview
- How Secure Access Manages Domains in the Threat Feed
- Rate Limits for Threat Intelligence Feeds
- Request Headers
- Supported Security Vendors
- Requirements for Creating a Threat Feed
- Comparison: Destination Lists API and Threat Intelligence Feeds API
- Threat Intelligence Feeds API Endpoints
How Secure Access Manages Domains in the Threat Feed
When a third-party or custom security vendor adds domains in Secure Access from a threat feed, Secure Access determines whether to block the domains for the organization.
- Use the
destinationListIdfor the threat feed's destination list when you add domains to the destination list. For more information, see Destination Lists API. - Secure Access reviews each domain added to the threat feed's destination list. If Cisco Secure Access Investigate assigns a Popularity 90 day normalized score below 40 for the domain, Secure Access adds the domain to the vendor's
thirdparty_blockdestination list and blocks the domain.
Rate Limits for Threat Intelligence Feeds
Secure Access enables rate limits on the Threat Intelligence Feeds API endpoints. For more information, see Rate Limits > Threat Intelligence Feeds.
Request Headers
Unless specified, the Secure Access API endpoints use JSON for all requests and responses.
Note: For POST, PUT, and PATCH operations, set the HTTPContent-Typeheader toapplication/jsonin your API request.
Supported Security Vendors
Secure Access supports and integrates with certain third-party and custom security vendors.
| Security Vendor | Feed ID |
|---|---|
| Custom Feed | 0 |
| FireEye | 1 |
| Cyphort | 3 |
| ZeroFOX | 5 |
| ThreatQ | 8 |
| ThreatConnect | 10 |
| Cisco AMP Threat Grid | 11 |
Requirements for Creating a Threat Feed
- Secure Access supports only fully-qualified domain names (FQDNs) in
thirdparty_blockdestination lists. - You can add at most 100 domains from a threat feed in the body of a Destination Lists API request.
- You can not delete a third-party security vendor in Secure Access, but you can disable the threat feed for the security vendor.
- You can delete a custom security vendor that you added in Secure Access.
- You can create at most ten custom security vendor integrations.
Required Parameters
- vendorId—The ID of the vendor is required only for third-party security vendors.
- name—The name of the security vendor.
Optional Parameters
- enabled—Specify whether to enable the threat feed. Set the
enabledfield toYfor enable orNfor disable. - apiKey—The API key is optional and only certain third-party or custom security vendors require an API key for the integration. Cisco AMP Threat Grid requires an API key to create the threat feed.
Comparison: Destination Lists API and Threat Intelligence Feeds API
You can manage domains with the Secure Access Destination Lists API and Threat Intelligence Feeds API.
The Secure Access Destination Lists API enables you to create and manage destinations in Allow and Block destination lists. You can add or delete destinations and customize destination lists. A destination is an IP address (IPv4 and IPv6), URL, or domain.
The Secure Access Threat Intelligence Feeds API enables you to create and manage the threat feeds for integrated third-party and custom security vendors. Secure Access creates a destination list for the threat feed integration. The organization adds domains to the threat feed's destination list and then Secure Access determines whether to block the domains in the threat feed.
Threat Intelligence Feeds API Endpoints
Contact: Cloud Security Developer Community