When we met at Protect in September, you were pretty clear that adding STIX/TAXII support to the Activate Threat Intelligence package should be a priority. Today, we are happy to announce the first release of this support, enabling you to take advantage of the Activate Threat Intelligence use cases by integrating your STIX/TAXII server of choice.
Here are the highlights of the current release:
- Configure the new Activate STIX/TAXII script to point to any STIX1.2/TAXII 1.1 compliant TAXII Server. We tested with “hail a taxi”, Anomali Limo, and, AlienVault OTX.
- The STIX/TAXII script populates the existing Activate Threat Intelligence Active Lists with all of the STIX Indicators in all the TAXII Collections at that server.
- The Activate Threat Intelligence Use Cases work exactly as before, without any change.
Upcoming releases will focus on at least the following big items:
- Extend support to more advanced objects in the STIX model; in particular Campaigns, Threat Actors, and TTPs. With the fuller STIX model inside ESM, we can give Analysts this richer context to work with when conducting alert triage.
- Enable bi-directional sharing of threat intelligence be allowing the push of STIX objects to the TAXII server.
As a community driven effort, we value your feedback and contributions to improve our STIX/TAXII support in ArcSight.
Start your exploration of the latest Activate Threat Intelligence solution here.