Nozomi Networks TI TAXII Feed
The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.
Integration Details
ThreatQuotient provides the following details for this integration:
| Guide Version | 1.0.0 |
| TAXII Server Version | 2.0.0 |
| Compatible with ThreatQ Versions | >= 5.6.0 |
| Support Tier | Developer Supported |
| Developer Contact | https://www.nozominetworks.com/support |
Introduction
The Nozomi Networks Threat Feed is a data feed of the latest emerging threat data from across the industry that can be used outside or independent of our Guardian and Vantage platforms.
This data feed is comprised of Nozomi Networks’ operational technology (OT) Indicators of Compromise (IOCs). The content is hosted on Nozomi Networks Trusted Automated eXchange of Intelligence Information (TAXII) server in the cloud and can be accessed globally.
IOC classes in the feed include malicious URLs, malicious MD5, malicious domains, malicious SHA-1, malicious IP addresses, and malicious SHA-256.
This feed is a TAXII feed and does not require installation files from the ThreatQ Marketplace.
Prerequisites
You will need your Nozomi Networks username and password to set up this TAXII feed in ThreatQ.
Setting up the TAXII Feed
ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.
To set up and configure the TAXII feed:
- Navigate to your integrations management page in ThreatQ.
- Click on the Add New Integration button and select the Add New TAXII Feed option.
- Enter the following feed settings:
Parameter Description What would you like to name this feed Enter the name of the feed. This is the name that the ThreatQ UI will display. How ofter would you like to pull new data from this feed Select the frequency in which the feed it pulled. Options include: - Every Hour
- Every6 Hours
- Every Day
- Every 2 Days
- Every 14 Days
- Every 30 Days
- Enter the TAXII Connection Settings:
Parameter Description TAXII Server Version Select the 2.0 option from the dropdown menu. Discovery URL Enter the Nozomi URL:
https://ti-taxii.nws.nozominetworks.io/taxii/Poll URL Optional - enter a URL for specific entpoint on the TAXII server to poll for data. If this field is left blank, the TAXII client will determine the appropriate path via the Collections Service. Collection Name/Title Enter the Nozomi collection name to pull. 
- Leave the Disable Proxies setting unchecked.
- Enter your Nozomi Login Credentials:
Parameter Description Username Enter your Nozomi username. Password Enter your Nozomi password. 
- Leave the Certificate/Keys fields blank.
- Leave the Verify SSL field selected and paste a Host Bundle (if applicable).
- Click on Add TAXII Feed.
The TAXII feed will now appear as an integration tile card on your My Integrations page using the display name you supplied in step 3. You can also click on the Category dropdown and select STIX/TAXII to filter your view.
- Click on the TAXII feed's tile card to open up its details page.
- Click on the Enable toggle switch, located above the Additional Information section, to enable the TAXII feed.
Average Feed Run
Object counts and Feed runtime are supplied as generalities only - objects returned by a provider can differ based on credential configurations and Feed runtime may vary based on system resources and load.
Every Day (24 hours)
| Metric | Result |
|---|---|
| Run Time | 1 minute |
| Indicator | 1 |
| Indicator Attributes | 3 |
| Malware | 1 |
| Malware Attributes | 2 |
| Signature | 1 |
| Signature Attributes | 3 |
Change Log
- Version 1.0.0
- Initial release
PDF Guides
| Document | TAXII Version | ThreatQ Version |
|---|---|---|
| Nozomi Networks Threat Intelligence TAXII Feed v1.0.0 | 2.0.0 | 5.6.0 or Greater |