Fetch TAXII Feeds to Use as Sources

• If the host server requires an encrypted connection, configure the SSL Settings as described in Configure TLS/SSL Settings for a Threat Intelligence Director Source.

• You cannot change the Action selection for TAXII sources.

  Block is not an Action option for TAXII sources, as STIX data can contain complex indicators, which the system cannot block. Devices (elements) store and take action based on single observables; they cannot take action based on multiple observables.

  However, after ingestion, you can block individual observables and simple indicators obtained from the source. For more information, see Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level.

• It may take some time for the list of feeds to load.

• The Update Every interval specifies the frequency that threat intelligence director retrieves updates from the TAXII source.

  Set an update frequency that makes sense for how often the data source is updated. For example, if the source is updated 3 times per day, set your update interval to 1440/3 or 480 minutes to regularly capture the latest data.

• After the number of days you specify for TTL, threat intelligence director deletes:

  • all of the source's indicators that are not included in subsequent source updates.

  • all observables not referenced by a surviving indicator.

  Note	If the source contains no updates for the number of days specified for TTL and the source checksum remains unchanged, downloads are treated as feeds with no updates. For observables to receive a new TTL value, the source must contain a few updates.

When this option is enabled, the system automatically publishes the initial source data and any subsequent changes.

For details, see Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level.