A Source administered by the Organization
An Outbound TAXII™ Exchange Feed pushes STIX™ (Structured Threat Information eXpression)–formatted data to a TAXII server via a mailbox.
- Log in with an Owner account valid for the desired Source.
- On the top navigation bar (Figure 1), click POSTS (Figure 1) to access the Posts screen (Figure 2).
- From the HOME dropdown menu, or from the Intelligence Sources menu on the left-hand side of the page, select a Source, and the Source Profile screen will appear (Figure 3).
- Click on the Source Config icon, and the Source Config screen will appear with the Attribute Types tab selected (Figure 4).
- Click the Data tab, and the Data screen will appear (Figure 5).
- Click the + NEW OUTBOUND button, and the Configure Outbound TAXII Exchange window will appear with the TAXII tab highlighted (Figure 6).
- Name: Click inside the box to enter a name.
- URL: Click inside the box to enter a URL.
- Discovery URL: Click inside the box, if applicable, to enter a Discovery URL.
- Translator Version: Click on the drop-down menu to choose the format of the outbound STIX. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
- Exchange is Active: Click on the gray rectangle to toggle between Yes and No.
- TAXII Version 1.0: Click on the gray rectangle to toggle between No and Yes. A selection of No indicates that TAXII Version 1.1 is to be used.
- Default Threat Rating: Click the checkbox to enter a default Threat Rating. Five skulls will appear. Select the number of skulls to assign a Threat Rating.
- Default Confidence Rating: Click the checkbox to enter a default Confidence Rating. A slide will appear. Move the button to assign a Confidence Rating.
- URL: Verify that the URL displayed is the one entered in the previous step.
- Username and Password: Click in the boxes to enter each field.
- Enable 2-way Authentication: Click on the gray rectangle and toggle to Yes to provide a Certificate. Provide the Private Key and Certificate found in the .pem certificate file.
- TEST CONNECTION: Click on this button to test the connection.
- Select the appropriate Service.
- Inbox: Click in the box to enter a name.
- Check for available inboxes: Click on the blue text to view and select an Inbox.
- Next Execution Time: Click in the box, and a calendar will pop up to select the date and time.
- Collection Interval: Click inside the box to manually change the time, or use the plus and minus signs to set the time (in hours).
- Initialize Data From: Click in the box, and a calendar will pop up to select the date.
STIX™ and TAXII™ are trademarks of The MITRE Corporation.