An Inbound TAXII™ Exchange Feed ingests STIX™ (Structured Threat Information eXpression)–formatted data from a TAXII server.
Creating an Inbound TAXII Exchange Feed
- Log in with an Owner account valid for the desired Source.
- On the top navigation bar (Figure 1), click Posts to access the Posts screen (Figure 2).
- From the Home dropdown menu, or from the Intelligence Sources menu on the left-hand side of the page, select a Source, and the Source Profile screen will be displayed (Figure 3).
- Click on the Source Config icon, and the Source Config screen will be displayed with the Attribute Types tab selected (Figure 4).
- Click the Data tab, and the Data screen will be displayed (Figure 5).
- Click the + NEW INBOUND button, and the Configure Inbound TAXII Exchange window will be displayed with the TAXII tab highlighted (Figure 6).
- Name: Click inside the box to enter a name.
- URL: Click inside the box to enter a URL.
- Discovery URL: Click inside the box, if applicable, to enter a Discovery URL.
- Stix Parser: Use the dropdown menu to choose the STIX parser to use in the feed. The STIX parser will determine how incoming STIX documents are interpreted and subsequently imported into ThreatConnect. Select STIX 1.1.1 Parser, which replaces Attributes, or STIX 1.1.1 Parser (Attribute Merge), which appends Attributes. See STIX and CybOX Parser Data Mappings for the data mappings that apply to the STIX 1.1.1 parser. Do not select Native Parser (the current default option), because it is being deprecated in the near future. Existing configurations using the Native Parser should be migrated as soon as possible.
- Parser Version: If an option other than Native Parser has been selected under the Stix Parser dropdown menu, then this field will not be available. As stated in the explanation for the Stix Parser field, Native Parser should not be selected.
- Exchange is Active: Click on the gray rectangle to toggle between Yes and No.
- TAXII Version 1.0: Click on the gray rectangle to toggle between No and Yes. A selection of No indicates that TAXII Version 1.1 is to be used.
- Default Threat Rating: Click the checkbox to enter a default Threat Rating. Five skulls will appear. Select the number of skulls to assign a Threat Rating.
NOTE: It is highly recommended to assign a Default Threat Rating value at this time for follow-on analyst workflows, applications, or Playbooks that may need to query for Indicators.
- Default Confidence Rating: Click the checkbox to enter a default Confidence Rating. A slide will appear. Move the button to assign a Confidence Rating.
NOTE: It is highly recommended to assign a Default Confidence Rating value at this time for follow-on analyst workflows, applications, Indicator deprecation, or Playbooks that may need to query for Indicators.
- URL: Verify that the URL displayed is the one entered in the previous step.
- Username and Password: Click in the boxes to enter each field.
- Enable 2-way Authentication: Click on the gray rectangle and toggle to Yes to provide a Certificate. Provide the Private Key and Certificate found in the .pem certificate file. If the certificate in the .pem certificate file is not in Private Key PKCS#8 format, then it will need to be converted before it is entered into ThreatConnect. As the type of Private Key required by the distant TAXII server can vary, please contact the TAXII server administrator for information about the standard required for that server. Then extract and convert the saved .pem file to the proper format.
- TEST CONNECTION: Click on this button to test the connection if the remote TAXII server allows for connection testing.
- If the connection was tested and successful, the Available Services table will be populated. Select the appropriate Service if applicable.
- Feed: If applicable, click inside the box to enter the desired feed name or the feed name provided by the administrator of the remote TAXII server. If no feed name has been entered, clicking on the Check for available feeds text and then selecting a feed from the table will populate this field.
- Subscription: If applicable, click inside the box to enter a subscription ID.
- Check for available feeds: If the remote TAXII server allows for this functionality, click on the Check for available feeds text to view a table of available feeds. Choose a feed from the table and then click the Select Feed button to populate the Feed field with the information for that feed.
- Poll Start Date: This field determines the date from which the TAXII server will start polling data. Click in the box, and a calendar will pop up to select the date, with sliders at the bottom to fine-tune the selection by hour, minute, and second.
- Collection Interval (hours): This field defines the date–time range, in hours, for polling requests. For example, if it is set to 4 hours, the TAXII service will poll for and receive data in 4-hour increments from the TAXII server. Click inside the box to manually change the time, or use the plus and minus signs to set the time (in hours).
- Log Document Name: Click in the box to enter a name.
- Would you like to save all inbound messages: If document storage has been allocated for the Source, click on the gray rectangle to toggle it to Yes.
CybOX™, STIX™, and TAXII™ are trademarks of The MITRE Corporation.