Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

STIX/TAXII security intelligence sharing


Companies normally use a variety of security products in their infrastructure wether on premise or in the cloud. Now I see a lot of security companies performing integration with STIX/TAXII using API to share their intelligence feeds (with active subscriptions). I cannot find anyhing other then the following discussion with TAG Cyber.

Personally I strongly believe this is the way to move forward to have multiple security intel sources and share these with different products leading to a alligned security posture.

Is there any update on this development?


Community Manager
Community Manager

Hi @Marvin, that isn't the usual type of question we get here, but it might kick off an interesting discussion. I'm in the process of trying to find you an answer. Not sure if @AaronJB might have a response, maybe?

I'm afraid not - I'm not aware of any active development toward either consuming or publishing third party feeds - it's possible that there might be BIG-IP NEXT work going on in that regard that I'm not aware of, but certainly not anything I can find in Classic BIG-IP.

NEXT PM is probably the group to reach out to, if you have any contacts there.


Ok, but I see other major leading security vendors (not mentioning names here) already doing this where you can use TAXII server feeds to "import" this shared intelligence and enforce it on your product. I also found vulnerability scanners supporting STIX format as well.

I think F5 development should also focus on this and see how to embed this feature, for example with F5 AFM / IP intelligence to support the STIX format and read intel. AFM IP intelligence already supports external feeds but not STIX format I believe. It would also be interesting to do the same for ASM file uploads feature to detect malicious malware hash (information which is publicly available). For SWG / SSL Orchestrator URL filtering to detect malicious IP/domains, just to name a few.

Interesting project that integrates with third party.

I see this as a very strong standard which allows end users to combine several intelligence feeds/sources and have a similar security posture regardless of the security technology used. 

This is indeed not an easy question but perhaps something for the F5 security architect to investigate, which I would find interesting in that position (perhaps Heath Parrot could have a look or someone from his team).

Oppertunities come with great ideas 🙂 NEXT PM not sure what that means but will inform my local F5 contacts about this.