Integrate Cloud SIEM with a TAXII Feed

This topic has instructions for integrating Cloud SIEM with a TAXII threat intelligence feed. In this configuration, Cloud SIEM is a TAXII client, and polls a TAXII Server. 

note

To integrate with a TAXII feed, consult the documentation for the feed. For example:

• If you are integrating Cloud SIEM with the Cybersecurity & Information Security Agency (CISA) TAXII feed, see the CISA AIS TAXII Server Connection Guide and Automated Indicator Sharing.
• If you are integrating Cloud SIEM with Anomali Threatstream, see Generating Your Own Threat Intelligence Feeds in ThreatStream on the Anomali blog.

About the integration

To integrate Cloud SIEM with a TAXII feed, you configure the URL of the TAXII provider’s discovery service and a polling interval. At the configured interval, Cloud SIEM uses the discovery service to look up the URL of the poll service, and then sends poll requests to that service, which then returns the indicators to Cloud SIEM.

Leveraging indicators in rules

The integration allows you to enrich incoming records with threat intel information, and leverage that information in Cloud SIEM rules. How does that work? Cloud SIEM compares incoming records with information from the threat feed. When there is a “match”, for instance when an IP address in a record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that record. Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a signal for any record with a match from your threat feed. To leverage the information in a rule, you can extend your custom rule expression, or add a Rule Tuning Expression to a built-in rule. For a more detailed explanation of how to use threat intelligence information in rules, see Threat Intelligence in the About Cloud SIEM Rules topic.

Requirements

Cloud SIEM supports TAXII v1.1 and v1.2. 

Configure the integration

1. Classic UI. In the top menu select Content > Threat Intelligence.
   New UI. In the main Sumo Logic menu, select Cloud SIEM > Threat Intelligence. You can also click the Go To... menu at the top of the screen and select Threat Intelligence.
2. On the Threat Intelligence page, click Add Source.
3. On the Add New Source popup, click TAXII Feed.
   
4. The Add Source page appears.
   
5. Name. Enter a name for the feed.
6. Description. Enter a description of the feed.
7. URL. Enter the URL for the feed provider’s TAXII discovery service endpoint.
8. Poll Interval. Enter the frequency at which you want to poll the feed for updates.
9. Default Indicator TTL. If desired, specify a default TTL that will take effect for Indicators that don’t have a defined expiration.
10. Max Lookback days. You can use this option to tell Cloud SIEM how many days of data to fetch the first time you populate your list of indicators. By default, the first time you populate the list, Cloud SIEM will look for all data from the feed for all time. Note that on subsequent updates, Cloud SIEM will only consider data added to the feed since the last time it was polled.
11. Collections. You can optionally enter a comma-separated list of the specific collections of indicators that you want to retrieve. (The collections available depend on your threat intel provider.) If you leave this field blank, all indicators will be queried.)
12. Subscription ID. As required, an subscription ID to send to the TAXII provider in the poll request.
13. Username. Enter the username for accessing the TAXII server.
14. Password. Enter the password for accessing the TAXII server.
15. Certificate. If required, drop the certificate for accessing the TAXII server into this field. 
16. Certificate Password. Enter the password for the certificate.
17. Click Add TAXII Feed Source.