Configure Subscribers to Receive CTIX Threat Intel over TAXII
Trusted Automated eXchange of Indicator (TAXII) is a protocol used to exchange cyber threat intelligence (CTI) over HTTPS. TAXII defines an API (a set of messages and services exchange) and a set of requirements for TAXII clients and servers, that align with common sharing models.
You can configure third-party applications such as Splunk Enterprise, Tanium, Darktrace, and Anomali as subscribers in CTIX to share threat intelligence feeds using TAXII protocol.
Before you Start
Ensure to have the following details before you configure subscribers in CTIX using TAXII:
The subscriber must support TAXII 1.1 or TAXII 2.x server to receive feeds in STIX format.
Add the third-party applications as subscribers in CTIX and receive the CTIX TAXII credentials such as TAXII Discovery URL, user name, and password. See Add Subscribers Manually in CTIX.
Ensure you have TAXII Discovery URL. The TAXII Discovery URL allows TAXII clients to discover your CTIX TAXII server and connect with it securely for threat intel exchange. See View TAXII and MISP URLs.
The port 443 and the TAXII server domains must be open and part of your organization's allowlists.
Integrate with Splunk Enterprise Application
Use the following procedure to receive STIX or TAXII feeds from CTIX into Splunk application.
Before you start
You must have administrator access to the Splunk Enterprise application.
You must have internet connectivity from Splunk Enterprise to the TAXII domain on TCP port 443.
You must add add the TAXII domain and the TCP port to your allowed lists if there are firewall restrictions in your infrastructure.
Steps
Sign in to the Splunk Enterprise application.
Navigate to Configure > Data Enrichment > Threat Intelligence Management.
Click New > TAXII.
Fill in the following fields in the form:
Tip
You will add two feeds, therefore, give them unique but consistent names and descriptions. The collection name in the POST arguments must be different as well.
Name: Enter CTIX_Feed and CTIX_Member_Feed as the names.
Description: Enter a description of the feeds.
URL: Enter the TAXII URL. For example, https://taxii.cyware.com/ctixapi/taxii/poll, where taxii.cyware.com is a TAXII domain and will differ based on your requirement.
Weight: Enter a risk or confidence weightage for the feed. A higher weight results in higher risk scores for corresponding intelligence matches. The default value is 60.
Interval: Enter the polling interval in seconds. The starting value is 3600 seconds.
Max Age: Enter the maximum age of the feed in days. The default value is 30 days.
POST Arguments:
collection="CTIX Feed" earliest="-14d" taxii_username="your_username" taxii_password="your_password"
collection="CSAP Submissions" earliest="-14d" taxii_username="your_username" taxii_password="your_password"
Threat Intelligence: Default (auto)
Parsing: Default (auto)
Advanced: Default (for all settings)
Click Save.
Refer to the following sample screenshots.
View CTIX Feeds in Splunk
Use one of the following methods to verify the received intel feeds:
In the Splunk Enterprise application, navigate to Audit > Threat Intelligence Audit.
Verify if the feeds are present in the Intelligence Downloads panel. An exit_status of 0 means the download was successful.
You can see Splunk's internal logs of threat intelligence downloads by using the bottom panel.
Sourcetype: threatintel:download
In the Splunk Enterprise application, navigate to Security Intelligence > Threat Intelligence > Threat Artifacts.
Verify that the feeds are present in the Threat Overview panel.
You can also run manual searches using the lookup tables and internal Splunk logs.
Use the following queries to search feeds in the lookup table:
| inputlookup ip_intel | search threat_key="ctix:*"
| inputlookup certificate_intel | search threat_key="ctix:*"
| inputlookup file_intel | search threat_key="ctix:*"
| inputlookup process_intel | search threat_key="ctix:*"
Use the following query to search feeds in the internal Splunk logs:
index=_internal sourcetype="threat*" ctix
To view the threat matches on the Threat Activity dashboard,
Navigate to Security Intelligence > Threat Intelligence > Threat Activity. Threat Group is most likely undefined as is Threat Category.
Integrate with Tanium
Use the following procedure to receive STIX or TAXII feeds from CTIX into the Tanium application.
Sign in to Tanium.
Select Modules from the top bar and select Threat Response.
Select Sources, click New Source and enter the details.
Select TAXII as the Source Type.
Enter the name, description, discovery URL, username, and password.
The URL, username, and password are received in an email by CTIX.
Select a collection to store the feeds.
Click Create.
Cabby Request Examples
taxii.cyware.com is an example of TAXII domain and will differ based on your requirement.
Discovery Requests taxii-discovery \ --host taxii.cyware.com \ --path /ctixapi/taxii/ \ --https \ --username please_fill_username \ --password please_fill_password Collection Requests taxii-collections \ --path https://taxii.cyware.com/ctixapi/taxii/collection/ \ --username please_fill_username \ --password please_fill_password Poll Requests taxii-poll \ --host taxii.cyware.com \ --discovery /ctixapi/taxii/ \ --https \ --collection "Collection Name" \ --username please_fill_username \ --password please_fill_password \ --begin 2021-02-19T00:41:22.856Z \ --end 2021-02-20T00:41:22.856Z
Integrate with Darktrace
Use the following procedure to receive STIX or TAXII feeds from CTIX into Darktrace.
Before you Start
You must have the subscriber credentials from CTIX.
Steps
Sign in to Darktrace.
Navigate to the left menu > Intel (white/blacklist) > TAXII Config.
Navigate to CONFIGURED TAXII SERVERS.
Click ADD NEW TAXII SERVICE.
Enter the following details:
Field Name
Description
Host
Enter the hostname.
Port
Enter 443 as the port number.
https
Select this option to encrypt the communication between the servers.
Username
Enter the username as received from CTIX through email.
Password
Enter the password as received from CTIX through email.
Collection
Enter the feed name. For example, “TLP:AMBER CTIX Feed”, or the case-sensitive feed name from the list of feeds in the Feed Overview section.
Discovery Path
Enter the discovery path to identify the server with which the application will connect. For example, https://taxii.cyware.com/ctixapi/taxii/poll, where taxii.cyware.com is a TAXII domain and will differ based on your requirement.
Polling Interval
Enter the polling interval in seconds to add a buffer between the polling time periods. It is suggested once or twice per day is sufficient.
Refer to the following sample screenshot.
Click Submit.
You can navigate to STIX INBOUND SOURCES to see the new entry.
Integrate with Microsoft Sentinel
Integrate CTIX in the Microsoft Sentinal application to receive the STIX or TAXII feeds.
Before you Start
You must have the read and write permissions of the workspace.
You must have TAXII 2.0 or TAXII 2.1 server URL and collection ID.
Steps
Sign in to the Microsoft Sentinel application.
Navigate to the Data Connector.
Configure the following details:
Friendly Name: Enter a name to identify the server.
API Root URL: Enter the API root URL. For example, https://taxii.cyware.com/ctixapi/taxii21/, where taxii.cyware.com is a TAXII domain and will differ based on your requirement.
Collection ID: Enter your collection ID.
Username: Enter the username as received from CTIX.
Password: Enter the password as received from CTIX.
Click Add.
Note
Microsoft Sentinel has standardized STIX 2.0, which was introduced in mid-2020. Earlier versions of STIX data (1.0, 1.1, and more.) are not included and can not be processed using the 2.0 standard.
Integrate with Anomali
Integrate CTIX in the Anamoli application to integrate STIX or TAXII feeds.
Steps
Sign in to the Anomali application.
Enter the name of your TAXII feed integration, discovery URL, username, and password as received from CTIX.
Select Use Site SSL Verification and Basic Authentication.
Click Add Site.
Set the confidence score of the indicators received from CTIX TAXII feeds.
Set an expiration date for your API.
Configure the polling details, and collection, and click Save and Run Now.
Integrate with LogRhythm
Integrate CTIX in the LogRhythm application to receive STIX or TAXII feeds.
Steps
Sign in to LogRhythm.
In the Threat Intelligence Service Manager, click Add Custom Source.
On Add STIX/TAXII Provider, enter the provider details such as threat provider name, TAXII collection endpoint, TAXII version, username, password, and more.
Test the STIX connection using the Test button.
Click Save.
Refer to the following sample screenshot.
Integrate with CISCO Email Security Virtual Appliance
Integrate CTIX in the Sumo Logic Cloud SIEM Enterprise to receive STIX or TAXII feeds.
Steps
Sign in to CISCO Email Security Virtual Appliance.
Click Mail Policies > External Threat Feeds Manager.
Click Add Source.
Enter the details required to configure the TAXII source.
Refer to the following sample screenshot.
Click Submit to commit the changes.
Integrate with Threat Connect
Integrate CTIX with Threat Connect to receive STIX or TAXII feeds.
Steps
Sign in to Threat Connect.
Navigate to the TAXII configuration page and configure the TAXII source.
Enter the details required for TAXII configuration.
Refer to the following sample screenshot.
Test the connection. Ensure to disable the two-way authentication.
Check for available feeds. This displays three feeds. You can choose the required feeds and proceed to the next step.
Set a schedule and configure a logging name and go to the Confirm tab.
The Confirm tab shows the details of your TAXII configuration.
Click Save.
Integrate with Minemeld Miner
Integrate CTIX in the Minemeld Miner application to receive STIX or TAXII feeds.
Steps
Sign in to Minemeld Miner and navigate to the SYSTEM menu on the top right corner. Select the extensions tab on the left side. Click on the git button to download and install the minemeld-taxii-ng extension directly from git or click on the upload button if your server doesn’t have direct Internet access. Make sure you activate the extension by clicking the checkbox on the right side.
Minemeld-taxii-ng extension is available on GitHub from the below URL https://github.com/PaloAltoNetworks/minemeld-taxii-ng
Now that the extension is installed, navigate to the CONFIG menu (top right) and click on the Browse Prototypes button (hamburger button) at the bottom of the page. We are going to create a new prototype for the TAXII feeds by clicking on the taxiing.phishtank prototype and then selecting NEW (top right).
Give the new local prototype a name, change the level status to STABLE and enter a description. Leave the indicator types as ANY to pull in all IOC types from Soltra, tags are optional. Update the collection and discovery_service values for the TAXII feeds. Click OK when done.
Collection is the same as the feed name. See the Automated Feed Information.pdf document supplied by TAXII for available feeds.
More information about age_out and attribute values can be found here: https://live.paloaltonetworks.com/t5/MineMeld-Articles/Configuring-nodes/ta-p/77185
Select the newly created prototype and click Clone to create a new miner node using this prototype. Give the node a name and click OK.
The new miner node should now be listed, click COMMIT to save the new configuration and deploy the new node.
Navigate to the NODES menu (top right) and select the new node. Enter your username and password for Soltra and click the verify cert box twice to enable certificate verification. Click on the refresh button next to the Last Run to refresh the miner, you should now see the indicator count increment.
Repeat the process for each additional H-ISAC feed you choose to mine.
Update to Minemeld
Running the latest version of Minemeld (0.9.66) and the same miner version (0.1b10) doesn’t appear to give the GUI options to change the username and password anymore once you clone a node. The username, password, and cert verification in the new miner config need to be hardcoded before cloning, then it would work. This is not an ideal way of doing it but a quick walkaround. Use the following miner configuration text:
age_out: default: last_seen+30d sudden_death: false attributes: confidence: 80 share_level: amber indicator_types: null source_name: collection: discovery_service: password: *PASSWORD* username: *USER* verify_cert: false
Configuration
Sign in to Minemeld Miner.
Open the Configurations page and fill in the following details.
URL - Enter the URL. For example, https://taxii.cyware.com/ctixapi/taxii/poll, where taxii.cyware.com is a TAXII domain and will differ based on your requirement.
The following feed names must be configured.
DHS CISCP Feed - Noted to be high confidence, low volume.
DHS AIS Feed - Noted to be higher volume and normal confidence
Member CSAP Submissions
Enter the username and password. The username and password will be provided by Cyware in an email.
The below screenshot shows an example.
Integrate with Sumo Logic Cloud SIEM Enterprise
Integrate CTIX in the Sumo Logic Cloud SIEM Enterprise to receive STIX or TAXII feeds.
Steps
Sign in to Sumo Logic Cloud SIEM Enterprise.
Navigate to the Threat Intelligence on the Content menu.
Click Add New Source and select Create TAXII Feed.
Enter the fields in Edit Source as shown in the following screen.
Integrate with RSA NetWitness
Integrate CTIX in the RSA NetWitness to receive STIX or TAXII feeds.
Steps
Sign in to RSA NetWitness.
Navigate to Files, and select Services.
Select a Contexthub Server to view the data sources, lists, and STIX sources.
Select the STIX tab and click on the + button.
Select TAXII Server from the drop-down menu to configure a TAXII server.
Enter the URL, username, password, and more details in the form as received from CTIX.
Click Validate and then Save to enable the configuration.
Refer to the following sample screenshot.
Integrate with MISP
MISP is an open-source TIP that facilitates sharing, storing, and correlating information on Indicators of Compromise (IOCs). It also provides comprehensive information about targeted attacks, threat intelligence, financial fraud information, vulnerability information, or counter-terrorism information. By integrating CTIX with MISP, you can fetch threat intel from the CTIX application for the MISP events and view this data on the MISP platform.
To integrate CTIX in the MISP application to receive STIX or TAXII feeds, see Integrate CTIX with MISP.
Integrate with QRadar Threat Intelligence
IBM QRadar Threat Intelligence application pulls in threat intelligence feeds by using the open standard STIX and TAXII formats, and deploys the data to create custom rules for correlation, searching, and reporting. Integrate Intel Exchange (CTIX) as a threat intelligence feed application in QRadar Threat Intelligence to receive STIX or TAXII feeds.
Before you Start
Ensure that you have configured an authorized service token in QRadar before you can configure a TAXII feed. For more information, see Configuring the Threat Feeds Downloader.
Ensure that you have configured a subscriber in Intel Exchange and downloaded the subscriber details, such as username, password, and TAXII URLs. For more information, see Add Subscriber Manually in CTIX.
Steps
To integrate Intel Exchange as a threat intelligence feed application in QRadar Threat Intelligence, follow these steps:
Sign in to the QRadar Threat Intelligence application.
Go to Menu > Threat Intelligence and click the Feeds Downloader icon on the upper right.
Click Add Threat Feed and select Add TAXII Feed.
On the Connection tab, enter the following details:
TAXII Endpoint: Enter the TAXII URL of your Intel Exchange application.
Note
Modify the TAXII URL of Intel Exchange to the format QRadar supports. For example,
Intel Exchange TAXII 2.0 URL:
https://prod.sampledomain.com/ctixapi/ctix2/taxii/
QRadar supported TAXII Endpoint:
https://prod.sampledomain.com/ctixapi/ctix2/collections/
Version: Select the TAXII 2.0 version to poll data in STIX 2.0 format.
Authentication Method: Select the HTTP Basic authentication method to authenticate data polling requests to Intel Exchange using the username and password of the subscriber.
Username: Enter the username of the subscriber you have configured in Intel Exchange.
Password: Enter the password of the subscriber.
Click Discover.
Note
If the connection with the TAXII server of your Intel Exchange application results in any error, see Troubleshooting QRadar Threat Intelligence to resolve the error.
Go to the Parameter tab and enter the following details:
Collections: Select the STIX collection from which you want to poll data.
Observable Type: Select an IOC type to poll. For example, IPv4 Address. Only data related to the selected IOC types will be polled. The IOC types that QRadar supports are IPv4 Address, IPv6 Address, Domain Name, Email, URL, File Hash, File Name, and User Account.
Polling Intervals: Select a polling frequency for the QRadar Threat Intelligence application to poll data from Intel Exchange. The default polling interval is hourly. We recommend you to set the polling interval to daily.
Poll Initial Date: Select a time from which you want to poll data. We recommend you to keep the initial polling date within the previous 15 days.
Reference Set: Select a reference set to store feeds polled from Intel Exchange. For more information about reference sets, see the IBM QRadar Administration Guide.
Click Add.
Note
To poll more observable types from Intel Exchange (such as Domain Name, Email, and other supported types), repeat steps 6 and 7.
Click Next.
Verify the configuration parameters, and then click Save.
You can view the configured Intel Exchange feed under Configured Threat Intelligence Feeds. Click Poll Now to retrieve data from Intel Exchange. Click the configured reference set name to view the data retrieved from Intel Exchange.
cURL Request Examples
Client URL (cURL) is a command line tool that enables data transfer over various network protocols. It communicates with a web or application server by specifying a relevant URL and the data that need to be sent or received. curl is powered by libcurl, a portable client-side URL transfer library.
Important
In the following request examples, taxii.cyware.com is an example of a TAXII domain and will differ based on your requirement.
We have used base64 encoded authentication to encrypt the username and password. For more information about base64 encoded authentication, refer to Encode to Base64.
For TAXII Discovery
curl --request POST 'https://taxii.cyware.com/ctixapi/taxii/' \ --header 'Content-Type: application/xml' \ --header 'User-Agent: libtaxii.httpclient' \ --header 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-protocol: urn:taxii.mitre.org:protocol:https:1.0' \ --header 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \ --header 'Accept: application/xml' \ --header 'Authorization: Basic base64_encoded(username:password)' \ --data-raw '<taxii_11:Discovery_Requestxmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="5267020880072015457"/>
TAXII Collection Request
curl --request POST 'https://TAXII.cyware.com/ctixapi/taxii/collection/' \ --header 'Content-Type: application/xml' \ --header 'User-Agent: libtaxii.httpclient' \ --header 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-protocol: urn:taxii.mitre.org:protocol:https:1.0' \ --header 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \ --header 'Accept: application/xml' \ --header 'Authorization: Basic base64_encoded(username:password)' \ --data-raw '<taxii_11:Collection_Information_Request xmlns:taxii="http://taxii.mitre.org/messages/taxii_xml_binding-1" xmlns:taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" xmlns:tdq="http://taxii.mitre.org/query/taxii_default_query-1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="7076685636329719912"/>
TAXII Poll Request
curl --request POST 'https://TAXII.cyware.com/ctixapi/taxii/poll/' \ --header 'Content-Type: application/xml' \ --header 'User-Agent: libtaxii.httpclient' \ --header 'x-taxii-accept: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-content-type: urn:taxii.mitre.org:message:xml:1.1' \ --header 'x-taxii-protocol: urn:taxii.mitre.org:protocol:https:1.0' \ --header 'x-taxii-services: urn:taxii.mitre.org:services:1.1' \ --header 'Accept: application/xml' \ --header 'Authorization: Basic base64_encoded(username:password)' \ --data-raw '<taxii_11:Poll_Request xmlns: taxii_11="http://taxii.mitre.org/messages/taxii_xml_binding-1.1" message_id="42158" collection_name="Collection Name"> <taxii_11:Exclusive_Begin_Timestamp>2021-02-20T00:41:22.856Z</taxii_11:Exclusive_Begin_Timestamp> <taxii_11:Inclusive_End_Timestamp>2021-02-21T00:41:22.856Z</taxii_11:Inclusive_End_Timestamp> <taxii_11:Poll_Parameters allow_asynch="false"> <taxii_11:Response_Type>FULL</taxii_11:Response_Type> <taxii_11:Content_Binding binding_id="urn:stix.mitre.org:xml:1.2"/> </taxii_11:Poll_Parameters> </taxii_11:Poll_Request>
TAXII 2.0 Discovery Request
curl --request GET 'https://taxii.cyware.com/ctixapi/ctix2/taxii/' \
--header 'Accept: application/vnd.oasis.taxii+json; version=2.0' \
--header 'Authorization: Basic base64_encoded(username:password)'
TAXII 2.0 Collection Request
curl --request GET 'https://taxii.cyware.com/ctixapi/ctix2/collections/' \ --header 'Accept: application/vnd.oasis.taxii+json; version=2.0' \ --header 'Authorization: Basic base64_encoded(username:password)'
TAXII 2.1 Discovery Request
curl --location --request GET 'https://taxii.cyware.com/ctixapi/ctix21/taxii2/' \ --header 'Authorization: Basic base64_encoded(username:password)' \ --header 'Accept: application/taxii+json;version=2.1'
TAXII 2.1 Collection Request
curl --location --request GET 'https://taxii.cyware.com/ctixapi/ctix21/collections/' \ --header 'Authorization: Basic base64_encoded(username:password)' \ --header 'Accept: application/taxii+json;version=2.1'
Cabby Request Examples
taxii.cyware.com is an example of TAXII domain and will differ based on your requirement.
Discovery Requests taxii-discovery \ --host taxii.cyware.com \ --path /ctixapi/taxii/ \ --https \ --username please_fill_username \ --password please_fill_password Collection Requests taxii-collections \ --path https://taxii.cyware.com/ctixapi/taxii/collection/ \ --username please_fill_username \ --password please_fill_password Poll Requests taxii-poll \ --host taxii.cyware.com \ --discovery /ctixapi/taxii/ \ --https \ --collection "Collection Name" \ --username please_fill_username \ --password please_fill_password \ --begin 2021-02-19T00:41:22.856Z \ --end 2021-02-20T00:41:22.856Z
CYTAXII2
CYTAXII2 acts as a TAXII client that you can install as a Python [Pip] Library. It implements all TAXII services according to TAXII 2.x specifications, such as consume intel from sources such as Cyware Threat feeds or any other sources that send you Threat Intel in the STIX format using the TAXII protocol. (Poll) Contribute and send intel to a collection on a TAXII server. (Inbox). See CYTAXII2 documentation.
Other than CYTAXII2, you can also use the following other open-source TAXII clients:
LibTAXII (Open Source Python Library)
Cabby Client (open source and available for free)
FAQs
How often should I poll for feeds?
Polling frequency depends on your needs. While intel feeds are published regularly, their sharing depends on your source. However, it is recommended to poll at least once a day. Considering the feed data volume, add a start and end date while polling to increase the relevance of the feeds. We also recommend to keep the polling frequency at one hour.
What does the TAXII status_type = "Unauthorized" imply?
This error message can occur due to two significant reasons:
Your IP address is not in the allowed indicator list.
Your credentials (Username and Password) are invalid or have expired.
What does the TAXII 206 status code imply?
The TAXII 206 status code implies partial success. If your platform shows the 206 status code, it means the TAXII server is yet to receive all threat data objects in the response. We recommend you continue polling threat data objects until all objects are received and check again.
For more information about TAXII codes, see TAXII Status Codes.