The SMS exchanges cyber threat intelligence using the Trusted Automated Exchange of
Intelligence (TAXII) application layer protocol. The information is exchanged in a
serialization format using the Structured Threat Information Expression (STIX) language.
The integration of STIX/TAXII feeds with the SMS enables you to easily identify threats
so that you can keep your existing security controls updated.
Prerequisites
- Threat Protection System (TPS) running TOS v5.0 or later
- Web security certificate
- TAXII client used to send STIX data to the SMS
 |
NoteSome third-party TAXII clients may require an appropriate certificate for verification.
Anomali STAXX, a tool to collect and share STIX/TAXII feeds, is used as an example.
STAXX requires 4 Gb RAM, 2 processors, and 100 Gb storage. Because Anomali STAXX supports
only MD5 hashes, do not use it for file hash reputation. For more information, see
https://www.anomali.com/community/staxx.
|
Import rules
This section describes the rules you must follow when importing STIX data to the Reputation
database.
- To automatically send STIX data to the SMS, enable the TAXII service. The TAXII service is enabled by default. For more information, see Enable SMS services.
- Only STIX Indicator objects can be added to the Reputation database.
- STIX Indicator objects must only contain a single comparison expression.
- You cannot export STIX objects from the SMS.
Tag categories
The SMS automatically includes the following predefined tag categories for STIX/TAXII
data. Use the following table to map STIX objects with user-provided Reputation tag
categories. Observable objects display as Reputation entries on the SMS. You can use
these entries to create a Reputation filter to protect your environment.
| Reputation tag | STIX object property | Description |
| STIX - ID | id | ID of the STIX
Indicator object, which is the only STIX 2.0 Domain Object the SMS imports.
Indicators contain a pattern that can be used to detect suspicious or malicious cyber
activity. For example, an indicator may be used to represent a set of malicious IP
addresses, domains, or URLs.
To be imported to the Reputation database, an indicator STIX object must:
|
| STIX - Severity | labels | Identifies the severity for the discovered threat, based on rules that match severity. Severity is not standard property for STIX 2.0. |
| STIX - Confidence | labels | Identifies the confidence for the discovered threat, based on rules that match a confidence score. Confidence is not standard property for STIX 2.0. |
| Reputation Entries TTL | valid_until | Identifies the date SMS will remove the entry. |
| - | revoked | If revoked is
true, the SMS deletes the entry tagged with the same STIX-ID.
|