Feeds
Security analysts often need to create custom threat intelligence to capture their findings about threat investigations. These findings can be recorded as lists of malicious, suspicious, or clean observables (block lists, watch lists, and allowed lists). These lists can then be saved and updated as data feeds.
Security products can be configured to consume these feeds and have policies around each type of feed—for example, a firewall could consume a list of known bad IP addresses and block connection attempts to those IPs. Feeds allow analysts to gather, curate, and ultimately publish lists of observables that are interesting or meaningful, and related in some way.
The Cisco XDR Intelligence feature allows you to create these custom feeds for continuous gathering of observables, and to share them with other technologies or users via the feed URL. A feed can be a simple list of observables, one per line, or a list of detailed judgments (including the observable) in JSON format. These feeds are created and managed on the Feeds page.
You access this page by choosing Intelligence > Feeds in the navigation menu.
The Feeds list includes the custom feeds that have been created, including the name, what it contains, the date and time it was created, who created it, and the date and time it expires.
Column Name |
Description |
---|---|
Title |
The name and description of the feed. Click the feed Title to open the Feed Details drawer and view additional information, and edit or delete the feed. |
Output |
What is included in the output for the feed URL (Observables or Judgments). |
Modified |
The date and time the feed was created or updated. Click the (Sort) icon next to the Modified column to sort by oldest or most recent date and time. |
Creator |
The user who created the feed URL. |
Expiration |
The lifetime of the feed, which is specified when it is created. If a specific date is included when the feed is created, it displays how many days from the current date the feed will expire. |
Use the Search text box in the upper portion of the page to narrow the display of feeds. Click the tooltip next to the text box to view the search criteria and examples of common searches.
You can sort the Feeds table based on the date it was created. Click the (Sort) icon next to the Modified column to sort by oldest or most recent date and time.
Click the feed name to open the Feed Details drawer and view additional information, copy the URL for the feed and share it with others, download the feed in JSON format, and edit or delete the feed.
Expand the General panel in the Feed Details drawer and view the date and time it was created or updated, who created it, when it expires, and the feed URL to copy and paste it into an email or other collaboration tool to share with others.
Expand the JSON panel in the Feed Details drawer to view the feed in JSON format.
You can delete a feed in the Feed Details drawer.
Click the feed Title to open the drawer and then click Delete. On the confirmation dialog, click Delete.
You can edit what is included in a feed in the Feed Details drawer; the feed URL is set by the system and cannot be changed.
Click the feed Title to open the drawer and then click Edit.
When creating a new feed, the user selects an indicator that will populate that feed. The selected indicator is then the driving factor for feed generation—the feed will include all observables that have had that indicator applied via judgments.
You can add observables to any feed that you have created using the Create Judgment option on the Pivot menu next to the observable. You add a judgment for the observable and then associate the appropriate indicators (see Create Private Judgment). The feed is then automatically updated to include the observable. The next time any user or device downloads the feed, it will include the newly-added observable or judgment.
For more information, see the Create Feed URL help topic.