How to share Cyber Threat Information through AIS
The Automated Indicator Sharing (AIS) platform uses open standards: the Structured Threat Information Expression (STIX™) for cyber threat indicators and defensive measures information and the Trusted Automated Exchange of Indicator Information (TAXII™) for machine-to-machine communications.
Using standards allows threat activity context such as tactics, techniques, and procedures, vulnerabilities, and courses of action to be shared through a communications protocol to and from participants.
Sharing Cyber Threat Indicators and Defensive Measures
AIS uses a server/client architecture for communications. AIS participants connect to AIS with a STIX/TAXII client (which can be built or bought from commercial vendors) to exchange cyber threat indicators and defensive measures with CISA and, in turn, other AIS participants via the AIS TAXII Server.
CISA respects organizational privacy; AIS anonymizes submissions by default when transmitting them, meaning that the identity of the submitter is not revealed without the prior express consent of the submitter.
In the future, CISA intends to provide additional AIS features to allow participants to identify the most operationally relevant indicators. As CISA receives participant feedback, it will continue to perform updates to make AIS as useful and relevant to the community as possible.
Request help
CISA conducts conference calls or webinars with companies that have questions about the on-boarding requirements or receiving, using, or sharing indicators and defensive measures. Engagement requests can be sent to cyberservices@cisa.dhs.gov.
Additional Resources
Additional information on how to share cyber threat indicators and defensive measures via the bidirectional AIS TAXII connection is found in the AIS Submission Guidance document.
Automated Indicator Sharing (AIS) 2.0 Submission Guidance
The AIS 2.0 Submission guidance v1.0 can be utilized with the AIS 2.0 profile v1.0 document to help AIS participants understand all requirements for submissions to AIS.
AIS 2.0 Submission Guidance
Online reporting
You may also share cyber threat information with CISA, including cyber threat indicators and defensive measures potentially subject to the protections of CISA 2015, using the Share indicators and defensive measures submission form found on CISA's Incident Reporting page.