Skip to main content
T
TTUOps
Visitor II
May 19, 2026
Solved

MS-ISAC Threat STIX/TAXII Threat Feeds

  • May 19, 2026
  • 1 reply
  • 94 views

I was curious if anyone was already ingesting the Malicious IP and/or Domain Lists from their MS-ISAC membership?  Someone asked in another community thread if those were included in the Fortigate threat feeds somewhere, but didn't get a response.  I’ve gone through the steps in several documents from support, but keep running into an Internal Error on my Fortigate when I refresh the object.  I figured I would check and see if someone had already figured this out and would mind sharing the configuration settings they used to create their successful objects.  I’m running a case with support but it’s slow going.

Best answer by Cajuntank

Well, I made the request myself to them and here is what their response was…

Unfortunately, FortiGates do not play nice with our STIX-TAXII server. Fortinet claims they support STIX-TAXII in one of their firewall’s version’s documentation, but what they implemented is a STIX parser without a full TAXII client. For that reason, we recommend signing up for our CTI Lists instead of the STIX-TAXII Collections when using FortiGate devices. The CTI Lists contain the same core IPs and Domains as our STIX-TAXII offering, just updated every Monday instead of near real-time.”

1 reply

Cajuntank
Cajuntank
Contributor III
May 19, 2026

I do this from all of my firewalls. You have to contact them though to exclude your network address to access those lists; otherwise, you will get a 403 error.

 

“Note: If you have already signed up and are receiving a 403 error when accessing the above links, check your internet-facing IP/CIDR info and email it to OperationsSupport@cisecurity.org.”

 

The txt file links they provide in the emails are straight forward copy paste into a threat feed you create on the firewall, so I bet it’s the allowance of your network that needs to be added.

    T
    TTUOpsAuthor
    Visitor II
    May 20, 2026

    I appreciate the quick response and the fact that you have it working gives me hope.

    We did notify them what IP we were coming from, so that part is in place.  My firewall has policies to allow it to go out to that site for the https connection already.  I’m pretty sure that part is working because if I change the password I get a different error than if I put the correct password in place which indicates that the firewall is making the https connection successfully, and authenticating to the remote web site for the feed.  It’s likely something in the object I created on the firewall that is causing my problem.

     

    I created two “Fortiguard Category External Feed” objects.  One for the discovery list and the other for the collection list.

    Here are the settings for the two objects I created:

     

    Status: Enabled

    Name: MS-ISAC TAXII Discovery

    Update Method: External Feed

    URL of external resource: stix://cyware.cisecurity.org/ctixapi/ctix21/taxii2/

    HTTP basic authentication: on

    Client certificate authentication: off

    Refresh rate: 5 minutes

     

    Status: Enabled

    Name: MS-ISAC TAXII Collection

    Update Method: External Feed

    URL of external resource: stix://cyware.cisecurity.org/ctixapi/ctix21/collections/

    HTTP basic authentication: on

    Client certificate authentication: off

    Refresh rate: 5 minutes

     

    I think the first question is, am I using the right object type?  I chose FortiGuard Category, but there’s also IP Address and Domain Name types available.  If you could let me know if you’re using anything different for the object type or any of the settings listed above on your known good and working external feed object, that would probably get me what I need.

    Cajuntank
    Cajuntank
    Contributor III
    May 20, 2026

    Ah...gotcha… you are actually trying to ingest the Stix feed and not the Malicious IP and/or Domain List feeds. I ingest the Malicious IP, Domains, and Hashes lists. According to Fortinet, you are using the correct option of FortiGuard Category. 
     

    https://docs.fortinet.com/document/fortigate/7.0.0/new-features/400345/stix-format-for-external-threat-feeds-7-0-2
     

    But I have never attempted to ingest that one before on mine. I might give it a try just to see, but since I do not get that particular email sent, I probably will have to make the separate request for that to them. Also, have you tried just not using authentication? I do not for the IP/Domain/Malware feeds from them and just specify the URL link and a refresh rate.

      Terms & ConditionsAccessibility statement