Custom Intelligence Feeds lets you add custom cyber intelligence feeds (threat indicators) to the Threat Prevention engine. You can add feeds from a third-party server directly to the Security Gateway to be enforced by the Anti-Virus and Anti-Bot Software Blades. For more information, see sk132193.
An indicator of compromise (IOC) is a pattern of relevant, observable malicious activity in an operational cyber domain, and includes information on how to interpret and handle the threat. Indicators are derived from intelligence, self-analysis and/or government agencies, partner organizations, etc.
To add IOC feeds from Splunk:
If the Splunk feeds are on the gateway:
Note - The user must have bash (scp not run in cli.sh), and the user UID cannot be 0.
/home/client/
The Splunk feed is built from several files.
To define the new feed in cli, use this command:
ioc_feeds add --feed_name
<name of feed> --transport local_directory --resource /home/
<user name>
This collects all files under the directory as a single feed.
If the Splunk feeds are on the web server, each file is considered separately.
Examples:
ioc_feeds add --feed_name <name of feed> --transport http --resource local.splunk.server/feeds/ips.csv
ioc_feeds add --feed_name <name of feed> --transport http --resource local.splunk.server/feeds/URLSs.csv
ioc_feeds add --feed_name <name of feed> --transport http --resource local.splunk.server/feeds/MD5s.csv
Observable is an event or a stateful property that can be observed in an operational cyber domain. These include: