TAXII Feed
TAXII Feed Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 5.5.0 and later.
The TAXII Feed integration ingests indicator feeds from TAXII 1.x servers.
#
Configure TAXIIFeed on Cortex XSOAR- Navigate to Settings > Integrations > Servers & Services.
- Search for TAXIIFeed.
- Click Add instance to create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Fetch indicators: boolean flag. If set to true will fetch indicators.
- Fetch Interval: Interval of the fetches.
- Reliability: Reliability of the feed.
- Traffic Light Protocol Color: The Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feed. More information about the protocol can be found at https://us-cert.cisa.gov/tlp
- Trust any certificate (not secure)
- Use system proxy settings
- Discovery Service: TAXII discovery service endpoint. For example:
http://example.com/taxii-discovery-service
- Collection: Collection name to fetch indicators from.
- Subscription ID: Subscription ID for the TAXII consumer.
- Username: Username/Password (if required)
- Request Timeout: Time (in seconds) before HTTP requests timeout.
- Poll Service: Used by a TAXII Client to request information from a TAXII Server.
- API Key: API key used for authentication with the TAXII server.
- API Header Name: API key header to be used to provide API key to the TAXII server. For example, "Authorization".
- First Fetch Time: The time interval for the first fetch (retroactive). [number][time unit] of type minute/hour/day. For example, 1 minute, 12 hours, 7 days.
- Click Test to validate the URLs, token, and connection.
#
Step by step configurationAs an example, we'll use the public TAXII threat intelligence feed by Abusech accessible via _Hail a TAXII. These are the feed instance configuration parameters for our example.
Indicator Reputation - Because this is just an example, we can leave the default value. Ordinarily you would set the reputation based on the specific feed's information about what type of indicators they are returning, i.e., whether they are good or bad.
Source Reliability - Because this is just an example, we can leave the default value. Ordinarily you would set the reliability according to your level of trust in this feed.
Indicator Expiration Method - For this example, we can leave the default value here. Ordinarily you would set the value according to the type of feed you were fetching from. As an example, let's that you are a customer of a Cloud Services provider and you want to add the URLs from which that provider serves up many of the services you use to your network firewall exclusion list. Assuming that that same Cloud Services provider maintains an up-to-date feed of the URLs from which they currently provide service, you would probably want to configure a feed integration instance with this parameter set to Expire indicators when they disappear from feed
so that you don't continue to mark a given URL with a Good
reputation after it is no longer being used by your Cloud Services provider.
Feed Fetch Interval - For this example, we can leave the default value here.
Discovery Service - Enter http://example.com/taxii-discovery-service
.
Collection - Enter guest.Abuse_ch
.
Subscription ID - No need to enter a value here for this example since the TAXII server we are addressing does not require it so we'll leave it blank.
Username - Enter guest
.
Password - Enter guest
.
Request Timeout - Let's increase the number to 80
seconds since the request may take a while to complete.
Poll Service - We don't have to enter a value here for this example because the poll service will be determined dynamically in the integration code if it is not explicitly provided.
API Key - We don't have to enter a value here for this example because the TAXII server we are addressing doesn't require an API key.
API Header Name - We don't have to enter a value here for this example because the TAXII server we are addressing doesn't require an API header name.
First Fetch Time - Since this example feed isn't very high volume, let's enter 500 days
to make sure we fetch a sufficient number of indicators.
Click the Test
button and ensure that a green Success
message is returned.
Now we have successfully configured an instance for the TAXII threat intelligence feed by Abusech accessible via _Hail a TAXII, once we enable Fetches indicators
the instance will start pulling indicators.
By clicking Mapping
in the integration instance, we can map indicator data returned by the feed to actual indicator fields in Cortex XSOAR.
We can use Set up a new classification rule
using actual data from the feed.
#
Get indicatorsGets indicators from the the feed.
#
Base Commandget-indicators
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of results to return. | Optional |
initial_interval | The time interval for the first fetch (retroactive). <number> <time unit> of type minute/hour/day. For example, 1 minute, 12 hours, 7 days. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
TAXII.Indicator.Value | String | The indicator value. |
TAXII.Indicator.Type | String | The indicator type. |
TAXII.Indicator.Title | String | The observable title. |
TAXII.Indicator.Description | String | The observable description. |
TAXII.Indicator.Stixindicatordescription | String | The indicator description. |
TAXII.Indicator.Stixindicatorname | String | The indicator title. |
TAXII.Indicator.Stixttptitle | String | The ttp title. |
TAXII.Indicator.Stixmalwaretypes | String | The stix malware type. |
TAXII.Indicator.Confidence | String | The indicator confidence. |
TAXII.Indicator.Score | String | The indicator DBot score. |
TAXII.Indicator.Relationships | String | The indicator relationships. |
TAXII.Indicator.Fields | Unknown | The indicator fields. |
TAXII.Indicator.Rawjson | Unknown | The indicator rawJSON value. |
#
Command Example!get-indicators limit=1 initial_interval="1 day"
#
Context Example#
Human Readable Output#
Indicators
Value Type Rawjson https://example.com URL indicator: https://example.com
type: URL
indicator_ref: opensource:Observable-9fe6464a-4a53-4269-90c6-d81013b2073e
stix_title: URL: https://example.com...
stix_description: URL: https://example.com\| isOnline:yes| dateVerified:2021-11-06T21:53:09+00:00
share_level: white
TLP: WHITE
stix_indicator_name: phishTank.com id:7341640 with malicious URL:https://example.com...
stix_indicator_description: This URL:[https://example.com] was identified by phishtank.com as part of a phishing email. This URL appears to still be online as of 2021-11-06T21:53:09+00:00. More detailed infomation can be found at http://www.phishtank.com/phish_detail.php?phish_id=7341640
confidence: High
ttp_ref: opensource:ttp-c819f3ef-fbc3-4077-8d56-bf619c8d9b29
relationships: {'stix_ttp_title': 'Email Emmbedded URL', 'ttp_description': 'Target Users via Email by adding a malicious URL', 'type': 'Attack Pattern', 'indicator': 'URL embedded in Email', 'value': 'URL embedded in Email'}
value: https://example.com