Threat Intelligence Feeds API
The Cisco Secure Access Threat Intelligence Feeds API enables you to discover TAXII API roots and collections provided by a threat intelligence feed, get the threat intelligence feeds configured in the organization, update the settings for the threat intelligence feed, and delete a threat intelligence feed.
You can find the Cisco Secure Access Threat Intelligence Feeds API endpoints under the admin scope in the Secure Access API.
Overview
- About Threat Intelligence Feeds
- Rate Limits for Threat Intelligence Feeds API
- Request Headers
- Threat Intelligence Feeds API Endpoints
About Threat Intelligence Feeds
Secure Access supports the integration of threat intelligence feeds in a Secure Access organization. Threat intelligence feeds are services that provide collections of information about security threats and indicators of compromise (IOCs).
In Secure Access, you can add a Third-party Integration and configure the integration of a threat intelligence feed.
- The threat intelligence feed must provide the collections of data in the Structured Threat Information eXpression (STIX) JSON schema.
- The threat intelligence feed must deliver the data using the Trusted Automated eXchange of Intelligence Information (TAXII) protocol.
- Integrated threat intelligence feeds must support a collection of IOCs that include: IPv4 or IPv6 addresses, fully-qualified domain names (FQDNs), and URLs.
When you integrate a threat intelligence feed in your organization, Secure Access creates and manages a dedicated destination list in the organization.
Once Secure Access begins to collect data from the integrated threat intelligence feed, you can view the destinations in the destination list. The new destination list is available to add on the internet access rules in the organization's Access policy.
Requirements for Integrating a Threat Intelligence Feed
- The threat intelligence feed must support the STIX 2.0/2.1 JSON schema over the TAXII 2.0/2.1 protocol.
- The threat intelligence feed must support at a minimum Basic authentication with a username and password.
- The threat intelligence feed must have a publicly accessible URL.
- The threat intelligence feed must provide a unique identifier for the STIX collection.
- The threat intelligence feed must provide a collection of IOCs with IPv4 or IPv6 addresses, fully qualifed domain names (FQDNs), and URLs.
How to Integrate a Threat Intelligence Feed in Secure Access
- Subscribe to a threat intelligence feed.
- Add a Third-party Integration in Secure Access with the configuration details for the threat intelligence feed.
- For more information, see Third-Party Integrations.
- Add the destination list associated with the threat intelligence feed in the internet access rules in the organization's Access policy.
- View the details about the impacted internet destinations in the Secure Access Activity Search report or with the Cisco Secure Access Reporting API.
Rate Limits for Threat Intelligence Feeds API
Secure Access enables rate limits on the Threat Intelligence Feeds API endpoints. For more information, see Rate Limits > Admin.
Request Headers
Unless specified, the Secure Access API endpoints use JSON for all requests and responses.
Note: For POST, PUT, and PATCH operations, set the HTTPContent-Typeheader toapplication/jsonin your API request.
Threat Intelligence Feeds API Endpoints
- Discover TAXII API Roots
- List TAXII Collections
- List Threat Intelligence Feeds
- Create Threat Intelligence Feed
- Update Threat Intelligence Feed
- Delete Threat Intelligence Feed
Contact: Cloud Security Developer Community