Creating an Inbound TAXII Exchange Feed

Last Updated: Jul 19, 2018 02:48PM EDT
Organization Administrator
A Source administered by the Organization

Overview

An Inbound TAXII™ Exchange Feed ingests STIX™ (Structured Threat Information eXpression)–formatted data from a TAXII server.

Steps

  1. Log in with an Owner account valid for the desired Source.
  2. On the top navigation bar (Figure 1), click POSTS to access the Posts screen (Figure 2).
  3. From the HOME dropdown menu, or from the Intelligence Sources menu on the left-hand side of the page, select a Source, and the Source Profile screen will appear (Figure 3).
  4. Click on the Source Config  icon, and the Source Config screen will appear with the Attribute Types tab selected (Figure 4).
  5. Click the Data tab, and the Data screen will appear (Figure 5).
  6. Click the + NEW INBOUND button, and the Configure Inbound TAXII Exchange window will appear with the TAXII tab highlighted (Figure 6).
    • Name: Click inside the box to enter a name.
    • URL: Click inside the box to enter a URL.
    • Discovery URL: Click inside the box, if applicable, to enter a Discovery URL.
    • Stix Parser: STIX parsing capabilities can be extended via apps. Native Parser is the default option. Click the drop-down menu to make a selection.
    • Parser Version: Click on the drop-down menu to choose the parser version. STIX 1.1.1 Indicators TC_V1 (Legacy Parser) is used for parsing STIX indicators generated by Soltra or STIX Indicators whose cybox:objects are located in separate STIX packages and connecting them via idref. STIX 1.1.1 Indicators TC_V2 is used for parsing ThreatConnect outbound TAXII server data.
    • Exchange is Active: Click on the gray rectangle to toggle between Yes and No.
    • TAXII Version 1.0: Click on the gray rectangle to toggle between No and Yes. A selection of No indicates that TAXII Version 1.1 is to be used.
    • Default Threat Rating: Click the checkbox to enter a default Threat Rating. Five skulls will appear. Select the number of skulls to assign a Threat Rating.
    • Default Confidence Rating: Click the checkbox to enter a default Confidence Rating. A slide will appear. Move the button to assign a Confidence Rating.
  7. Click the Next button, and the Login screen will appear (Figure 7).
    • URL: Verify that the URL displayed is the one entered in the previous step.
    • Username and Password: Click in the boxes to enter each field.
    • Enable 2-way Authentication: Click on the gray rectangle and toggle to Yes to provide a Certificate. Provide the Private Key and Certificate found in the .pem certificate file. If the certificate in the .pem certificate file is not in Private Key PKCS#8 format, then it will need to be converted before it is entered into ThreatConnect.
    • TEST CONNECTION: Click on this button to test the connection.
    • Select the appropriate Service.
  8. Click the Next button, and the Feed screen will appear (Figure 8).
    • Feed: Click inside the box to enter the feed name.
    • Subscription: If applicable, click inside the box to enter a subscription ID.
    • Check for available feeds: Click on the blue text to view and select a feed.
  9. Click the Next button, and the Schedule screen will appear (Figure 9).
    • Next Execution Time: Click in the box, and a calendar will pop up to select the date and time.
    • Collection Interval: Click inside the box to manually change the time, or use the plus and minus signs to set the time (in hours).
    • Initialize Data From: Click in the box, and a calendar will pop up to select the date.
  10. Click the Next button, and the Logging screen will appear (Figure 10).
    • Log Document Name: Click in the box to enter a name.
    • Would you like to save all inbound messages: Click on the gray rectangle to toggle to Yes.
  11. Click the Next button, and the Confirm screen will appear (Figure 11). Confirm that the entered information is correct.
  12. Click the SAVE button.
 
  STIX and TAXII are trademarks of The MITRE Corporation.

20058-02 EN Rev. C

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete