Sekoia TAXII Feed

Overview

Sekoia’s CTI platform aggregates and continuously curates intelligence from hundreds of external sources and analyst research, tracking attacker groups, infrastructure, and vulnerabilities worldwide. This intelligence is exposed via a TAXII discovery endpoint  and an API root using HTTP Basic authentication where the Sekoia Intelligence Center API key is supplied as the password. Within Hunters, Hunters platform support IOC-based detections, retro-hunting, and contextual enrichment of alerts across hunters SIEM.

Hunters parses these STIX 2.1 vulnerability objects alongside other CTI types and uses them to enrich alerts with CVE context, prioritize findings based on known vendor advisories, and drive vulnerability-aware detections that correlate asset activity with exploitation intelligence coming from Sekoia’s continuously updated CTI feeds.

Supported data types

Sekoia TAXII Feed Logs

Table name: sekoia_taxii_feed_logs

Among the objects exposed by Sekoia’s TAXII server are rich vulnerability STIX entities. These objects typically include a unique STIX ID, CVE-based name and external_references (source_name: CVE-YYYY-XXXX), links to vendor advisories and distribution lists, the Sekoia creator identity, and custom fields like x_inthreat_sources_refs that record which upstream sources contributed to the intelligence.

Many entries provide detailed natural-language descriptions of the vulnerability, impact (CSRF, buffer overflow, DDOS, arbitrary code execution), and sometimes affected products, while others explicitly document reserved or rejected CVE identifiers (marked with RESERVED or REJECT ) to help consumers avoid acting on non-issues.

Send data to Hunters

Hunters supports the ingestion of Sekoia Feed logs via an intermediary AWS S3 bucket.

To connect Sekoia Feed logs via AWS S3 bucket:

1. Export your logs from Sekoia.io to an AWS S3 bucket - guide by Sekoia

2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Hunters supports the collection of the logs using API as well:

To connect Sekoia Feed logs via API:

1. Follow this guide by the vendor to generate relevant keys and use your feed-id or the given default one.

2. Supply Hunters with the following details:

   1. Feed ID - for example d6092c37-d8d7-45c3-8aff-c4dc26030608

   2. API Token - for example ABC123-ABC123-ABC123-ABC123

Expected format

Logs are expected in JSON format.

Sekoia Feed logs

{"source_name": "CONFIRM",
 "url": "http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10725",
 "object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
 "lang": "en",
 "spec_version": "2.1",
 "x_inthreat_sources_refs": ["identity--12c516b1-573d-42dd-b041-6b5ae42dcba6"],
 "x_ic_is_in_flint": False,
 "x_ic_deprecated": False,
 "name": "CVE-2016-1264",
 "description": "Race condition in the Op command in Juniper Junos OS before 12.1X44-D55, and 16.1 before 16.1R1 allows remote authenticated users to gain privileges via the URL option.\n\n### Problem\n\nn/a\n\n### Affected Products\n\n* n/a - n/a  n/a"}
{"id": "vulnerability--253fd7f9-5de7-4d32-80e1-bcf98d9b219f",
 "type": "vulnerability",
 "created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",
 "created": "2019-10-11T14:03:30.811533Z",
 "modified": "2019-10-11T14:03:37.005032Z",
 "revoked": False,
 "external_references": [{"source_name": "cve",
 "external_id": "CVE-2016-1413"},
 {"source_name": "CISCO",
 "description": "20160527 Cisco Firepower Management Center Web Interface Code Injection Vulnerability",
 "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160527-fmc"}],
 "object_marking_refs": ["marking-definition--34098fce-860f-48ae-8e50-ebd3cc5e41da"],
 "lang": "en",
 "spec_version": "2.1",
 "x_inthreat_sources_refs": ["identity--12c516b1-573d-42dd-b041-6b5ae42dcba6"],
 "x_ic_is_in_flint": False,
 "x_ic_deprecated": False,
 "name": "CVE-2016-1413",
 "description": "The web interface in Cisco Firepower Management Center 5.4.0..."}