To enable the CanSSOC Threat Feeds in Trend Vision One:

1. Go to Threat Intelligence > Third-Party Intelligence > TAXII Feeds.
2. Add or edit a TAXII feed.
   • To add a feed, click Add.
   • To edit a feed, click the feed name.
3. In the General section, complete the following settings:
   1. Select the TAXII server version for this feed.
       

      TAXII 2.0 and 2.1 are supported. The TAXII server version cannot be modified once the feed has been added.

      You will need the “Feeds v2” credentials provided by CanSSOC. This is not the same as the MISP credentials.

       
   2. Type the discovery URL for each CanSSOC TAXII feed.
   3. Select Specify authentication credentials if the server requires it, and then type the user name and password used for authentication.
   4. (Optional) Select Use CA certificate if the server uses it, and then click Select to locate the CA certificate file.
   5. (Optional) Select Server requires client authentication if the server requires it, and then click Select to locate the client certificate file.
   6. (Optional) Type the client certificate passphrase.
4. In the Collections section, complete the following settings:
   1. Click Discover to find and select one or more available collections.
   2. For each selected collection, click the toggle to enable or disable the Extract and block suspicious objects option.

      If you enable the option, click the Edit icon and select one or more of the following suspicious object types to extract from the TAXII feed collections and add to the Suspicious Object List:

      • Domain
      • File SHA
      • File SHA
      • IP address
      • Sender address
      • URL

      By default, these suspicious objects are considered as high-risk objects that expire in 30 days. The connected products receive the new object information from Trend Vision One during the next synchronization, and will take the Block/Quarantine action after detecting those objects.

       

      Only indicator type STIX objects that are not labeled as anomalous-activity, anonymization, benign, compromised, or unknown, and that are not revoked will be added to the Suspicious Objects List.

       
   3. For each selected collection, click the toggle to enable or disable the Run an auto sweep option.

      Enabling this option initiates a one-time sweeping task that runs right after successful subscription to search your historical data for any indicators extracted from the current collection. Only "report" type STIX objects are supported for sweeping.

5. In the Polling criteria section, complete the following settings:
   1. Select the frequency at which the TAXII feed is polled for information.
   2. Select how far in the past you want to begin polling information from.
6. Click Save.

   

   The TAXII feed appears on the TAXII Feeds screen and will be processed to produce custom intelligence reports. To further check the reports generated from your feed subscriptions, go to Threat Intelligence → Intelligence Reports and click the Custom tab.