Adding an Intelligence Feed

Procedure

1. Go to Threat Intelligence → Feed Management.
   The Feed Management screen appears.
2. Click Add.
   The Add Intelligence Feed screen appears.
3. Enable the intelligence feed.
4. Type a name for this intelligence feed.
5. Select the server version for this intelligence feed.

   Note The server version cannot be modified once the intelligence feed has been added.

6. Type the discovery URL for this intelligence feed.
7. (Optional) Select Use server certificate if the server uses it, and then click Select to locate the server certificate file.
8. (Optional) Select Specify authentication credentials if the server requires it, and then type the user name and password used for authentication.
9. (Optional) Select Server requires client authentication if the server requires it, and then click Select to locate the client certificate file.
10. (Optional) Type the client certificate passphrase.
11. Click Discover to find and then select an available collection.
12. Select the frequency at which the intelligence feed is polled for information.
13. Select how far in the past you want to begin polling information from.
14. Click Add.
    The intelligence feed appears in the Feed Management list. Polled information that contains IP addresses, domains, URLs, SHA-1 hash values, and SHA-256 hash values will be added to the User-Defined Suspicious Objects list. Registered appliances receive the updated User-Defined Suspicious Objects list during the next synchronization.

    Note When using TAXII 1.x, only Indicators whose Confidence is not Medium, Low, None, or Unknown will be added to the User-Defined Suspicious Objects list. When using TAXII 2.0, only "indicator" type objects that are not labeled as "anomalous-activity", "anonymization", "benign", or "compromised", and that are not revoked will be added to the User-Defined Suspicious Objects list. When using TAXII 2.0, there are certain specifications to ensure server compatibility. For more information visit the following site: http://docs.oasis-open.org/cti/taxii/v2.0/cs01/taxii-v2.0-cs01.html When using TAXII 2.1, only "indicator" type objects that are not labeled as "anomalous-activity", "anonymization", "benign", "compromised", or "unknown", and that are not revoked will be added to the User-Defined Suspicious Objects list. When using TAXII 2.1, there are certain specifications to ensure server compatibility. For more information visit the following site: https://docs.oasis-open.org/cti/taxii/v2.1/os/taxii-v2.1-os.html