The TAXII Feed integration ingests indicator feeds from TAXII 1.x servers.
Configure TAXIIFeed on Demisto
- Navigate to Settings > Integrations > Servers & Services.
- Search for TAXIIFeed.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Fetch indicators: boolean flag. If set to true will fetch indicators.
- Fetch Interval: Interval of the fetches.
- Reliability: Reliability of the feed.
- Traffic Light Protocol Color: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp
- Trust any certificate (not secure)
- Use system proxy settings
- Discovery Service: TAXII discovery service endpoint. For example:
- Collection: Collection name to fetch indicators from.
- Subscription ID: Subscription ID for the TAXII consumer.
- Username: Username/Password (if required)
- Request Timeout: Time (in seconds) before HTTP requests timeout.
- Poll Service: Used by a TAXII Client to request information from a TAXII Server.
- API Key: API key used for authentication with the TAXII server.
- API Header Name: API key header to be used to provide API key to the TAXII server. For example, "Authorization".
- First Fetch Time: The time interval for the first fetch (retroactive). [number][time unit] of type minute/hour/day. For example, 1 minute, 12 hours, 7 days.
- Click Test to validate the URLs, token, and connection.
Step by step configuration
As an example, we'll use the public TAXII threat intelligence feed by Abusech accessible via _Hail a TAXII. These are the feed instance configuration parameters for our example.
Indicator Reputation - Because this is just an example, we can leave the default value. Ordinarily you would set the reputation based on the specific feed's information about what type of indicators they are returning, i.e., whether they are good or bad.
Source Reliability - Because this is just an example, we can leave the default value. Ordinarily you would set the reliability according to your level of trust in this feed.
Indicator Expiration Method - For this example, we can leave the default value here. Ordinarily you would set the value according to the type of feed you were fetching from. As an example, let's that you are a customer of a Cloud Services provider and you want to add the URLs from which that provider serves up many of the services you use to your network firewall exclusion list. Assuming that that same Cloud Services provider maintains an up-to-date feed of the URLs from which they currently provide service, you would probably want to configure a feed integration instance with this parameter set to
Expire indicators when they disappear from feed so that you don't continue to mark a given URL with a
Good reputation after it is no longer being used by your Cloud Services provider.
Feed Fetch Interval - For this example, we can leave the default value here.
Discovery Service - Enter
Collection - Enter
Subscription ID - No need to enter a value here for this example since the TAXII server we are addressing does not require it so we'll leave it blank.
Username - Enter
Password - Enter
Request Timeout - Let's increase the number to
80 seconds since the request may take a while to complete.
Poll Service - We don't have to enter a value here for this example because the poll service will be determined dynamically in the integration code if it is not explicitly provided.
API Key - We don't have to enter a value here for this example because the TAXII server we are addressing doesn't require an API key.
API Header Name - We don't have to enter a value here for this example because the TAXII server we are addressing doesn't require an API header name.
First Fetch Time - Since this example feed isn't very high volume, let's enter
500 days to make sure we fetch a sufficient number of indicators.
Test button and ensure that a green
Success message is returned.
Now we have successfully configured an instance for the TAXII threat intelligence feed by Abusech accessible via _Hail a TAXII, once we enable
Fetches indicators the instance will start pulling indicators.
Mapping in the integration instance, we can map indicator data returned by the feed to actual indicator fields in Cortex XSOAR.
We can use
Set up a new classification rule using actual data from the feed.
Gets indicators from the the feed.
|limit||The maximum number of results to return.||Optional|
|initial_interval||The time interval for the first fetch (retroactive). ||Optional|
|TAXII.Indicator.Value||String||The indicator value.|
|TAXII.Indicator.Type||String||The indicator type.|
|TAXII.Indicator.Rawjson||Unknown||The indicator rawJSON value.|
!get-indicators limit=5 initial_interval="10 days"