Skip to main content

Integrate Cloud SIEM with a TAXII Feed

This article has instructions for integrating Cloud SIEM with a TAXII threat intelligence feed.

note

To integrate with a TAXII feed, first consult the documentation for the feed. For example:

About the integration

To ingest a TAXII feed, you configure the URL of the TAXII provider’s discovery service and a polling interval. At the configured interval, Sumo Logic uses the discovery service to look up the URL of the poll service, and then sends poll requests to that service, which then returns the indicators.

Requirements

Cloud SIEM supports TAXII 1.x and TAXII 2.x. 

Configure the integration

  1. Configure the TAXII 1 Client Source or TAXII 2 Client Source, depending on which you want to use.
  2. The ingested threat intelligence indicators appear on the Threat Intelligence tab. To access the Threat Intelligence tab:
    • Classic UI. In the main Sumo Logic menu, select Manage Data > Logs > Threat Intelligence.
    • New UI. In the top menu select Configuration, and then under Logs select Threat Intelligence. You can also click the Go To... menu at the top of the screen and select Threat Intelligence.
  3. Use the hasThreatMatch Cloud SIEM rules language function to search incoming records for matches to threat intelligence indicators. When matches are found, they appear on records in Cloud SIEM.

Leveraging indicators in rules

Threat intelligence indicators allow you to enrich incoming records with threat intel information. Cloud SIEM uses the the hasThreatMatch rules function to compare incoming records with information from the threat feed. When there is a “match”, for instance, when an IP address in a record matches an IP address that the feed says is malicious, Cloud SIEM adds relevant information to that record.

Because the threat intel information is persisted within records, you can reference it downstream in both rules and search. The built-in rules that come with Cloud SIEM will also automatically create a signal for any record with a match from your threat feed.

For more information, see Find Threats with Cloud SIEM.

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.