STIX Sources
Structured Threat Information Expression (STIX) sources deliver threat intel in CTIX in the STIX format. The supported STIX formats are STIX 1.x, STIX 2.0, and STIX 2.1. STIX sources are classified into categories such as Community, Open Source, Subscriber, and System Feed. You can also add custom categories based on your requirements. Categorizing these sources allows you to determine the source of information and use it efficiently.
After an STIX source is configured, it starts receiving threat intel according to the set polling type for the STIX source. You can poll a STIX source on demand to import the necessary STIX data.
Before you Start
Ensure that you have Create Feed Source permissions and Update Feed Source permissions to access the STIX sources
Steps
To add a STIX source, follow these steps:
Go to Administration > Integration Management and click STIX under FEED SOURCES.
Click Add STIX Source.
Enter the following details:
Source Name: Enter a unique name within 50 characters to identify the source.
Description: Enter a source description within 300 characters which describes key details and functions of the source.
Discovery Service URL: Enter the TAXII and TAXII 2 URLs shared by the source organization in the Discovery Service URL. For example, if you are subscribing to a threat intelligence source, you need to specify the discovery URL shared by the organization for Intel Exchange to authenticate and communicate with it.
Verify SSL: Select Verify SSL to verify and secure the connection between the Intel Exchange and STIX servers.
If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly and Intel Exchange will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Confidence: Enter a confidence score between 0 and 100 based on your reliability of the source.
Custom Scores: Enter the default values for the custom scores you have configured in Administration > Configuration > Custom Scores.
STIX Version: Select a STIX version in which the source shares STIX packages. A STIX version allows you to define the format in which the feeds are shared. You cannot modify this version after adding a STIX source.
Select Category: Select a category to categorize sources based on parameters, such as shared threat data, investigation details, and more. You can choose from community feeds, open-source feeds, subscriber sources, and system feeds.
Intel Exchange allows you to add a custom category for specific feeds and sources. Enter the custom category name in Select Category and select Add Category from the drop-down list.
Authentication Type: Select from the following authentication types to provide integrity to the STIX threat intel exchange:
Basic: Enter the username and password provided by the source organization to authenticate the threat intel source.
Certificate: Enter the subscriber ID, public certificate, and private key to authenticate the threat intel source. You can click Add Public Certificate to create and add a new certificate. For more information about certificates, see Manage Certificates.
Basic and Certificate: Enter the username, password, subscriber ID, public certificate, and private key to authenticate the threat intel source using certificates, username, and password. You can click Add Public Certificate to create and add a new certificate. For more information about certificates, seeManage Certificates.
None: Select this option if the source is open-source and does not require any authentication for threat intel exchange.
Data Marking Type: Select the default access control marking type to assign to the threat data objects received from the source. The default marking type is applied if the ingested threat data objects do not include data marking details. Select one of the following marking types:
TLP: Select TLP to mark objects under Traffic Light Protocol (TLP). By default, TLP amber is selected.
ACS: Select ACS to mark objects under Access Control Specification (ACS). You can also upload the default ACS identity for the objects in JSON format and click Validate to verify if the uploaded JSON data is valid.
Note
You can select the ACS marking type if the administrator has enabled ACS as the data marking preference in Administration > Configuration > General Settings > Data Marking Preference.
Click Add STIX Source.
After a STIX source is added, the Discovery Service URL from which the source is fetched automatically populates the source collections. These source collections allow you to poll data and view the threat intel from the source in Threat Data.
Define Polling Configurations
After adding a STIX source, you can view all the collections defined for a STIX source and define the polling configuration for every collection.
Before you Start
Ensure that you have Create permissions and View and Update permissions to define polling configurations.
Steps
To define the polling configurations, follow these steps:
Go to Administration > Integration Management, and click STIX under FEED SOURCES.
Select a STIX source and a STIX collection.
Click on More Actions, and select Edit Poll Configurations.
In the case of system-defined sources, this option is not enabled for any changes.
Enter the subscriber ID.
Select from the following polling types:
Automatic: Select Automatic to poll feed sources from the STIX source automatically. Enter the frequency in seconds at which the polling can take place.
Manual: Select Manual to poll the feed source from the STIX source manually.
Enter the confidence score between 0 and 100 based on your reliability of the source. By default, the confidence score you define while adding the STIX source will be added here.
Click Update.
Manage a STIX Source
After you add a STIX source, you can do the following activities :
Edit: Click the vertical ellipsis and select Edit to edit the STIX source details, such as source name, description, confidence score, discovery URL, custom scores, data marking type, source category, authentication type, and more. You can only modify the description, confidence score, custom score, and data marking type of the Import source.
Delete: Click the vertical ellipsis and select Delete to delete a STIX source.
Enable/Disable: Turn on or turn off the toggle to enable or disable a STIX source. If you disable a STIX source, the application can no longer poll from the collection of this source. You cannot disable a source if its collections are subscribed.
Filters: Click on Search or filter results to filter sources based on the created range, status, and the STIX version.