Feeds
Security analysts often need to create custom threat intelligence to capture their findings about threat investigations. These findings can be recorded as lists of malicious, suspicious, or clean observables (block lists, watch lists, and allowed lists). These lists can then be saved and updated as data feeds.
Security products can be configured to consume these feeds and have policies around each type of feed—for example, a firewall could consume a list of known bad IP addresses and block connection attempts to those IPs. Feeds allow analysts to gather, curate, and ultimately publish lists of observables that are interesting or meaningful, and related in some way.
The Cisco XDR Intelligence feature allows you to create these custom feeds for continuous gathering of observables, and to share them with other technologies or users via the feed URL. A feed can be a simple list of observables, one per line, or a list of detailed judgments (including the observable) in JSON format. These feeds are created and managed in the Feeds tab on the Intelligence page.
The Feeds list includes the custom feeds that have been created, including the name, what it contains, the date and time it was created, who created it, and the date and time it expires.
Feeds Table Column Descriptions
|
Column Name |
Description |
|---|---|
|
Title |
The name and description of the feed. Click the feed Title to open the Feed Details drawer and view additional information, and edit or delete the feed. |
|
Output |
What is included in the output for the feed URL (Observables or Judgments). |
|
Modified |
The date and time the feed was created or updated. Click the |
|
Creator |
The user who created the feed URL. |
|
Expiration |
The lifetime of the feed, which is specified when it is created. If a specific date is included when the feed is created, it displays how many days from the current date the feed will expire. |
Search and Sort Feeds
Use the Search text box in the upper portion of the page to narrow the display of feeds. Click the tooltip next to the text box to view the search criteria and examples of common searches.
You can sort the Feeds table based on the date it was created. Click the 
(Sort) icon next to the Modified column to sort by oldest or most recent date and time.
View Feed Drawer
Click the feed name to open the Feed drawer and view additional information, copy the URL for the feed and share it with others, download the feed in JSON format, and edit or delete the feed.
General
Expand the General panel to view the date and time the feed was created or updated, who created it, when it expires, and the feed URL to copy and paste it into an email or other collaboration tool to share with others.
Show Feed in JSON Format
Expand the JSON panel to view the feed in JSON format.
Delete Feed
You can delete a feed in the Feed drawer.
Click the feed Title to open the drawer and then click Delete. On the confirmation dialog, click Delete.
Edit Feed
You can edit what is included in a feed in the Feed drawer; the feed URL is set by the system and cannot be changed.
Click the feed Title to open the drawer and then click Edit.
Create Feed URL
Before you can create a feed URL, you need the indicator that will serve as the data collection mechanism for the feed. The selected indicator is then the driving factor for feed generation—the feed will include all observables that have had that indicator applied via judgments. You can use any existing indicator in your private intel store or create a new one for this purpose (see Create Private Indicator). This indicator should be as descriptive as possible, and the title should make it clear that it drives population of a feed.
You can add observables to any feed that you have created using the Create Judgment option on the Pivot menu next to the observable. You add a judgment for the observable and then associate the appropriate indicators (see Create Private Judgment). The feed is then automatically updated to include the observable. The next time any user or device downloads the feed, it will include the newly-added observable or judgment.
Once you have an indicator ready, you can create the feed URL.
-
Choose Intelligence in the navigation menu and click the Feeds tab.
-
Click Create feed URL in the upper right corner to open the drawer.
-
Complete the form:
Field
Description
Title
Required. Enter a descriptive title for the feed.
Indicator
Required. Click the drop-down list and choose the indicator that contains the list of observables to be saved in the feed URL.
The indicator is the mechanism for populating the feed with data; when you create a judgment on an observable and assign it to an indicator, the judgment and observable are tied to the feed that includes this indicator.
Output
From the drop-down list and choose Observables or Judgments as the output for the feed URL.
Expiration
By default, feed URLs are set to never expire. If you want to specify an expiration date, uncheck the Never expires check box and pick a date on the calendar.
-
Click Create.
The newly added feed is displayed in the Feeds tab.
Each feed has a URL, which has an authorization token built into it that allows other products to use the contents of the feed without having to authenticate with Cisco XDR.
Note: Because the feed can be reached without authenticating in Cisco XDR, anyone who has access to the URL can use it.
Add or Remove Feed Observables
A feed is the set of observables that have been seen in conjunction with an indicator. As such, the feed is populated by adding indicators to observables via judgments.
Add Observable to a Feed
As you work cases and incidents, or process threat intelligence or alerts from any source that has Pivot menus, you can assign judgments to observables, and also tie those judgments to indicators.
If an observable has a judgment that is tied to an indicator that is associated with a feed (on the Create feed URL form), then the observable will be added to that feed. When a user or technology downloads the feed from the feed URL, they get the list of all observables that have been tied to that feed’s indicators.
To add an observable to a feed, you need to create a judgment for that observable, and assign the relevant indicator (see Create Private Judgment).
Remove Observables from the Feed
You can remove an observable from a feed by deleting the judgment that associates it to the relevant indicator that populates the feed. This is done from the Judgments tab (private judgments only). See Delete Private Judgment.
Note: If the observable has multiple judgments assigned to it that reference the feed’s indicator, you will need to delete them all.