An Outbound TAXII™ Exchange Feed pushes STIX™ (Structured Threat Information eXpression)–formatted data to a TAXII server via a mailbox.
- Log in with an Owner account valid for the desired Source.
- On the top navigation bar (Figure 1), click POSTS (Figure 1) to access the Posts screen (Figure 2).
- From the HOME dropdown menu, or from the Intelligence Sources menu on the left-hand side of the page, select a Source, and the Source Profile screen will appear (Figure 3).
- Click on the Source Config icon, and the Source Config screen will appear with the Attribute Types tab selected (Figure 4).
- Click the Data tab, and the Data screen will appear (Figure 5).
- Click the + NEW OUTBOUND button, and the Configure Outbound TAXII Exchange window will appear with the TAXII tab highlighted (Figure 6).
- Name: Click inside the box to enter a name.
- URL: Click inside the box to enter a URL.
- Discovery URL: Click inside the box, if applicable, to enter a Discovery URL.
- Translator Version: Click on the dropdown menu to choose the format of the outbound STIX. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
- Exchange is Active: Click on the gray rectangle to toggle between Yes and No.
- TAXII Version 1.0: Click on the gray rectangle to toggle between No and Yes. A selection of No indicates that TAXII Version 1.1 is to be used.
- Default Threat Rating: Click the checkbox to enter a default Threat Rating. Five skulls will appear. Select the number of skulls to assign a Threat Rating.
NOTE: It is highly recommended to assign a Default Threat Rating value at this time for follow-on analyst workflows, applications, or Playbooks that may need to query for Indicators.
- Default Confidence Rating: Click the checkbox to enter a default Confidence Rating. A slide will appear. Move the button to assign a Confidence Rating.
NOTE: It is highly recommended to assign a Default Confidence Rating value at this time for follow-on analyst workflows, applications, Indicator deprecation, or Playbooks that may need to query for Indicators.
- URL: Verify that the URL displayed is the one entered in the previous step.
- Username and Password: Click in the boxes to enter each field.
- Enable 2-way Authentication: Click on the gray rectangle and toggle to Yes to provide a Certificate. Provide the Private Key and Certificate found in the .pem certificate file. If the certificate in the .pem certificate file is not in Private Key PKCS#8 format, then it will need to be converted before it is entered into ThreatConnect.
- TEST CONNECTION: Click on this button to test the connection if the remote TAXII server allows for connection testing.
- If the connection was tested and successful, the Available Services table will be populated. Select the appropriate Service if applicable.
- Inbox: If applicable, click inside the box to enter the desired inbox name or the inbox name provided by the administrator of the remote TAXII server. If no inbox name has been entered, clicking on Check for available inboxes and then selecting an inbox from the table will populate this field.
- Check for available inboxes: If the remote TAXII server allows for this functionality, click on the blue text to view a table of available inboxes. Choose an inbox from the table and then click the Select Inbox button to populate the Inbox field with the information for that inbox.
- Next Execution Time: This field determines the date on which the TAXII server will start polling data.Click in the box, and a calendar will pop up to select the date and time.
- Collection Interval: This field defines the time period for which information is to be pulled during the polling request. Click inside the box to manually change the time, or use the plus and minus signs to set the time (in hours).
- Initialize Data From: This field overrides the Collection Interval to pull in data from the given date in the initial request. It is typically left blank, but can be set if required. Click in the box, and a calendar will pop up to select the date.
NOTE: Do not choose an initial date that will cause the data retrieved to exceed the import limit for file size. See the ThreatConnect System Administration Guide or consult your System Administrator for more information about file size limits for import.
- Package TLP: Use the dropdown menu to select the Traffic Light Protocol level that will limit the data pushed by the feed.
- ID Prefix: Click on the dropdown menu to select the namespace prefix for generated STIX IDs.
STIX™ and TAXII™ are trademarks of The MITRE Corporation.