Showing results for 
Search instead for 
Did you mean: 

How to use a TAXII feed with the McAfee ESM


The Cyber Threat Manager allows the McAfee ESM to receive and parse Indicators of Compromise, or IOCs, and display them in the dashboards. There are various ways to pass the McAfee ESM IOCs, from STIX files or Mcafee's own ATD devices, but one of the best ways is to receive a TAXII feed. It can be automated and that's always nice.

First, let’s talk a little about IOC files. These are structured files are difficult for people to read, but they contain a lot of information about potential threats. IOCs can provide things such as ip addresses of bad destinations or URLs of malicious sites. Even though we might have a hard time reading the raw IOCs, the McAfee ESM can parse them and show them to us in a friendly format.

Setting up the TAXII Feed

We’re going to set up a TAXII feed with and set it up to send us the latest IOCs within its repository automatically.

Let’s get started. To set up a threat feed, click on the System Properties and then select the Cyber Threat Feeds section.


Click on the Add button and that will bring up the Cyber Threat Feed Wizard.

The first step is to name the feed. You can call it anything you’d like, so I’m just going to call my feed hailataxii and click Next.


On this screen, this is where I’m going to select where I pull my feed. When I click on the dropdown for the type, I have many options available. Most of these options allow me to retrieve a file from a remote location such as sftp or from an nfs share. We can also pull the IOC from a McAfee ATD.

We’re going to add the hailataxii feed. Select the TAXII from the dropdown.

Then enter as the URL

Select the radio button next to POST and enter guest.dataForLast_7daysOnly in the Collection Name


On the watchlist tab, we can have the IOC automatically populate one or more watchlists. For example, we can add any File Hashes that has been found in an IOC to a watchlist of malicious MD5 Hashes . You’ll need to select File_Hash as the watchlist type. With this watchlist, you can use it to create reports, filters, or correlations rules that will automatically generate an alert when this file hash is detected in the future. We’ll put the items identified by the TAXII feed into a watchlist for malicious URLs.

I'm going to select the URL field and then create a watchlist for these URLs. I’ll just click on the Create New Watchlist button.

On the next screen I'll name the Watchlist and click next.


Now, I want to make this watchlist for URLs by selecting URL from the dropdown. Then I can click finish.


Now I just need to select my newly created watchlist from the dropdown.


The final tab allows you to configure Backtrace. Backtrace will automatically detect if this IOC has been detected in the past and you can have it generate an alarm when there is a match.


Now that we have our Cyber Threat Feed created for hailataxii, we can click the retrieve button to start pulling IOCs.

Using the IOC Data

I can now view the IOCs in the McAfee ESM interface by clicking on the Cyber Threat Indicators button in the top right. That will bring me to the Cyber Threat Dashboard. I can see the Indicator Name, the Feed that provided the IOC, the date received, and the Backtrace Hit Count, which is the number of times the indicator has been seen the in the past. I can also download the IOC from the McAfee ESM with the download link.


At the bottom, I also have a row of tabs that can be used to view various details of the IOC.

In the description tab, I can see a description that was provided with the IOC.


In the Details tab, I can see the parsed IOC data. This will show you things like file names, hashes, and ip addresses that make up the IOC. This tab has taken all that difficult to read data and put it in an organized format

The source events tab are events that have attributed that matched up with details of the IOC and were found with the Backtrace feature. I can view the events and see details of why a system might have trigger a Backtrace hit.

Finally, the Source Flows tab would be network flows that were found with Backtrace.

I can also take a look at the watchlist that I had created. When I go to the watchlist section in the Configuration menu, I can select my watchlist and see the contents. These will be automatically updated when the feed does a scheduled pull. With this watchlist, you can use these for correlation rules and other alarms.


So, that’s a quick overview of the Cyber Threat Manager in the McAfee ESM. With the ability to parse IOCs and provide that intelligence to detect historical detection as well as the ability to add IOC data to watchlists, this is a powerful tool to find that specific needle in a haystack.

Tags (2)

I have followed these instructions to a T and dont seem to be pulling any data. I am on 9.6, not sure if that makes a difference.

Other than checking the Cyber threat indicator button, does ESM create any logs of these connections ?

Does the watchlist should be static one or dynamic one????

if its static it coolects huge data on a daily basis right??? kindly suggest

Hi all,

i do just learning ESM at the moment. So, my URL watchlist for ATD is filled, but i have not found any scenario where an URL was added to the TAXII Watchlist.

Has anyone a hint for me?


From cyber threat feed, it gets the URLs from the source and append it to the URL Taxi watch list.

Hello ​,

thanks for the reply. So, i configured anything but when i´m looking into the Watchlist it is always empthy. 😕


you mean to say, you don't see any values? can you confirm the count in watchlist overview?

How do I remove IOCs when I no longer need them.

With manually loaded indicators sourced from CERTs the numbers grow and grow and grow. I can put aging on the watchlists but does this remove the IOC records?

Version history
Revision #:
1 of 1
Last update:
‎08-19-2015 07:48 AM
Updated by:

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community