The SMS exchanges cyber threat intelligence using the Trusted Automated Exchange of
Intelligence (TAXII) application layer protocol. The SMS embeds a TAXII 2.0 and TAXII
2.1 server. The threat intelligence information is exchanged in a serialization format
using the Structured Threat Information Expression (STIX) language. The integration
of STIX/TAXII feeds with the SMS enables you to easily identify threats so that you
can keep your existing security controls updated.
Prerequisites
- Threat Protection System (TPS) running TOS v5.0 or later
- Web security certificate
 |
NoteSome third-party TAXII clients may require an appropriate certificate for verification.
|
Import rules
This section describes the rules you must follow when importing STIX data to the Reputation
database.
- To automatically send STIX data to the SMS, enable the TAXII service. The TAXII service is enabled by default. For more information, see Enable SMS services.
- Only STIX Indicator objects can be added to the Reputation database.
- STIX Indicator objects must only contain a single comparison expression.
- You cannot export STIX objects from the SMS.
Tag categories
The SMS automatically includes the following predefined tag categories for STIX/TAXII
data. Use the following table to map STIX objects with user-provided Reputation tag
categories. Observable objects display as Reputation entries on the SMS. You can use
these entries to create a Reputation filter to protect your environment.
| Reputation tag | STIX object property | Description |
| STIX - ID | id | ID of the STIX
Indicator object, which is the only STIX 2.0 Domain Object the SMS imports.
Indicators contain a pattern that can be used to detect suspicious or malicious cyber
activity. For example, an indicator may be used to represent a set of malicious IP
addresses, domains, or URLs.
To be imported to the Reputation database, an indicator STIX object must:
|
| STIX - Severity | labels | Identifies the severity for the discovered threat, based on rules that match severity. Severity is not a standard property for STIX 2.0. |
| STIX - Confidence | labels | Identifies the confidence for the discovered threat, based on rules that match a confidence score. Confidence is not a standard property for STIX 2.0. |
| Reputation Entries TTL | valid_until | Identifies the date that the SMS will remove the entry. |
| - | revoked | If revoked is
true, the SMS deletes the entry tagged with the same STIX-ID.
|