A Source administered by the Organization
An Inbound TAXII™ Exchange Feed ingests STIX™ (Structured Threat Information eXpression)–formatted data from a TAXII server.
- Log in with an Owner account valid for the desired Source.
- On the top navigation bar (Figure 1), click POSTS to access the Posts screen (Figure 2).
- From the HOME dropdown menu, or from the Intelligence Sources menu on the left-hand side of the page, select a Source, and the Source Profile screen will appear (Figure 3).
- Click on the Source Config icon, and the Source Config screen will appear with the Attribute Types tab selected (Figure 4).
- Click the Data tab, and the Data screen will appear (Figure 5).
- Click the + NEW INBOUND button, and the Configure Inbound TAXII Exchange window will appear with the TAXII tab highlighted (Figure 6).
- Name: Click inside the box to enter a name.
- URL: Click inside the box to enter a URL.
- Discovery URL: Click inside the box, if applicable, to enter a Discovery URL.
- Stix Parser: STIX parsing capabilities can be extended via apps. Native Parser is the default option. Click the drop-down menu to make a selection.
- Parser Version: Click on the drop-down menu to choose the parser version. STIX 1.1.1 Indicators TC_V1 (Legacy Parser) is used for parsing STIX indicators generated by Soltra or STIX Indicators whose cybox:objects are located in separate STIX packages and connecting them via idref. STIX 1.1.1 Indicators TC_V2 is used for parsing ThreatConnect outbound TAXII server data.
- Exchange is Active: Click on the gray rectangle to toggle between Yes and No.
- TAXII Version 1.0: Click on the gray rectangle to toggle between No and Yes. A selection of No indicates that TAXII Version 1.1 is to be used.
- Default Threat Rating: Click the checkbox to enter a default Threat Rating. Five skulls will appear. Select the number of skulls to assign a Threat Rating.
- Default Confidence Rating: Click the checkbox to enter a default Confidence Rating. A slide will appear. Move the button to assign a Confidence Rating.
- URL: Verify that the URL displayed is the one entered in the previous step.
- Username and Password: Click in the boxes to enter each field.
- Enable 2-way Authentication: Click on the gray rectangle and toggle to Yes to provide a Certificate. Provide the Private Key and Certificate found in the .pem certificate file. If the certificate in the .pem certificate file is not in Private Key PKCS#8 format, then it will need to be converted before it is entered into ThreatConnect.
- TEST CONNECTION: Click on this button to test the connection.
- Select the appropriate Service.
- Feed: Click inside the box to enter the feed name.
- Subscription: If applicable, click inside the box to enter a subscription ID.
- Check for available feeds: Click on the blue text to view and select a feed.
- Next Execution Time: Click in the box, and a calendar will pop up to select the date and time.
- Collection Interval: Click inside the box to manually change the time, or use the plus and minus signs to set the time (in hours).
- Initialize Data From: Click in the box, and a calendar will pop up to select the date.
- Log Document Name: Click in the box to enter a name.
- Would you like to save all inbound messages: Click on the gray rectangle to toggle to Yes.
STIX™ and TAXII™ are trademarks of The MITRE Corporation.