Incoming feed - TAXII inbox#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport type

TAXII inbox

Content type

  • Eclectic JSON

  • Email message

  • MISP JSON

  • PDF

  • SpyCloud Breach Data JSON

  • STIX 1.0

  • STIX 1.1

  • STIX 1.1.1

  • STIX 1.2

  • STIX 2.1

  • Text

Ingested data

Structured STIX packages.

Processed data

Structured, STIX-compliant entities.

Description

Retrieve and process information from specific data sources supporting the TAXII inbox transport type.

Note

Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform system settings.

TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.

Note

Assign unique names to TAXII feeds: TAXII inbox and TAXII poll feeds in the platform, both incoming and outgoing, must have unique names.

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select TAXII inbox.

  3. From the Content type drop-down menu, select the appropriate content type for the data you want to ingest through the incoming feed.
    The selected content type for the feed should match the actual format of the source data.
    This can vary, depending on the intelligence sources you retrieve the data from.

  4. Select the Accept password protected archives checkbox to specify a global password to open any archives retrieved through the incoming feed.
    If the archives are password-protected, enter it in the Archive password input field.
    The specified password acts as a master password, and it is used to try to unlock and access any archives retrieved with the feed.
    Supported archive formats:

    • .rar

    • .tar

    • .tar.bz2

    • .tar.gz

    • .tar.z

    • .zip

  5. Select the Public checkbox to make the incoming feed available to all platform groups and to all platform users.
    Leave it deselected to make the incoming feed available only to specific groups.

  6. From the the Authorized groups drop-down menu, select one or more groups to grant them access to the feed.
    This option restricts access to the incoming feed only to the selected user groups and to their members.
    Authorized groups is only available when the Public checkbox is deselected (default setting).

  7. In the Collection name field, enter the name of the TAXII data collection you want to use to consolidate the incoming feed content.
    The data collection name can be max. 1024 characters long, and its XML schema must comply with the xsd:anyURI data type.
    Example: MalwareDomainList_Hostlist.

  8. To store your changes, click Save; to discard them, click Cancel.

Warning

Before deleting a group, check that is not an authorized group in an incoming or an outgoing feed configuration.
Deleting a group that is currently selected as an authorized group to access an incoming or an outgoing feed content breaks feed functionality.

If remove such a group:

  1. Remove it from the Authorized groups selection in the relevant incoming and/or outgoing feed(s).

  2. Proceed to delete the group.

Assign permissions to the user role#

The designated platform user role to manage TAXII feeds requires read access to specific platform resources:

Resource

Access level

Data sources:

  • Incoming feeds

  • Groups

Read

Feeds:

  • Incoming feeds

  • Outgoing feeds

Read

TAXII services:

  • Discovery

  • Collection

  • Inbox

  • Poll

Read

To manage data exchange through a TAXII feed, a platform user needs at least a basic set of permissions If the user also interacts with other platform features, such as datasets and workspaces, you can integrate this basic permission set with the default permissions granted to the default Threat Analyst role.

These are non-mandatory guidelines. You may need to fine-tune user permissions based on trial and error, practical experience to best suit your environment and your needs.

To view permissions for the the default Threat Analyst role:

  1. In the side navigation bar click > User management > Roles.

    To sort items by column header:

    1. Click the header of the column whose content you want to sort.

    2. Click or to sort the content in either ascending or descending order, respectively.

  2. Under Role name, select Threat Analyst.

  3. In the Threat Analyst detail pane, in the Overview tab, you can view a list of permissions granted to the role.

Basic permission set for the user role#

Sender automation role

Receiver automation role

Required

Notes

  • read configurations

  • read content-blocks

  • read content-types

  • read destinations

  • read entities

  • read extracts

  • read intel-sets

  • read outgoing-feeds

  • read sources

  • read taxii-services

  • read transports

  • read configurations

  • read content-blocks

  • read content-types

  • read destinations

  • read entities

  • read extracts

  • read incoming-feeds

  • read intel-sets

  • read sources

  • read taxii-services

  • read transports

Yes

Different permissions between sender and receiver automation roles are highlighted in bold.

  • modify incoming-feeds

  • modify taxii-services

See notes

The sender automation user role must have also these permissions if:

  • A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed > TAXII inbox incoming feed setup.

  • A TAXII inbox outgoing feed uses Basic authentication.

  • modify outgoing-feeds

See notes

The receiver automation user role must have also this permission if:

  • A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed > TAXII inbox incoming feed setup.

  • A TAXII inbox incoming feed uses Basic authentication.