Incoming feed - TAXII inbox

This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.

	Specifications
Transport type	TAXII inbox
Content type	CAPEC XML EclecticIQ JSON EclecticIQ JSON (legacy) Email message PDF RSS HTML from link SpyCloud Breach Data JSON STIX 1.0 STIX 1.1 STIX 1.1.1 STIX 1.2 Text
Ingested data	Structured STIX packages.
Processed data	Structured, STIX-compliant entities.
Description	Retrieve and process information from specific data sources supporting the TAXII inbox transport type.

Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform system settings.

TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.

Assign unique names to TAXII feeds: TAXII inbox and TAXII poll feeds in the platform, both incoming and outgoing, must have unique names.

Configure the incoming feed

Create or edit an incoming feed.
From the Transport type drop-down menu, select TAXII inbox.
From the Content type drop-down menu, select the appropriate content type for the data you want to ingest through the incoming feed.
The selected content type for the feed should match the actual format of the source data.
This can vary, depending on the intelligence sources you retrieve the data from.
Select the Accept password protected archives checkbox to specify a global password to open any archives retrieved through the incoming feed.
If the archives are password-protected, enter it in the Archive password input field.
The specified password acts as a master password, and it is used to try to unlock and access any archives retrieved with the feed.
Supported archive formats:
- .rar
- .tar
- .tar.bz2
- .tar.gz
- .tar.z
- .zip
Select the Public checkbox to make the incoming feed available to all platform groups and to all platform users.
Leave it deselected to make the incoming feed available only to specific groups.
From the the Authorized groups drop-down menu, select one or more groups to grant them access to the feed.
This option restricts access to the incoming feed only to the selected user groups and to their members.
Authorized groups is only available when the Public checkbox is deselected (default setting).
In the Collection name field, enter the name of the TAXII data collection you want to use to consolidate the incoming feed content.
The data collection name can be max. 1024 characters long, and its XML schema must comply with the xsd:anyURI data type.
Example: MalwareDomainList_Hostlist.
To store your changes, click Save; to discard them, click Cancel.

Before deleting a group, check that is not an authorized group in an incoming or an outgoing feed configuration.
Deleting a group that is currently selected as an authorized group to access an incoming or an outgoing feed content breaks feed functionality.

If remove such a group:

Remove it from the Authorized groups selection in the relevant incoming and/or outgoing feed(s).
Proceed to delete the group.

Assign permissions to the user role

The designated platform user role to manage TAXII feeds requires read access to specific platform resources:

Resource	Access level
Data sources: Incoming feeds Groups	Read
Feeds: Incoming feeds Outgoing feeds	Read
TAXII services: Discovery Collection Inbox Poll	Read

To manage data exchange through a TAXII feed, a platform user needs at least a basic set of permissions.
If the user also interacts with other platform features, such as datasets and workspaces, you can integrate this basic permission set with the default permissions granted to the default Threat Analyst role.

These are non-mandatory guidelines. You may need to fine-tune user permissions based on trial and error, practical experience to best suit your environment and your needs.

To view permissions for the the default Threat Analyst role:

In the side navigation bar click > User management > Roles.
To sort items by column header:
1. Click the header of the column whose content you want to sort.
2. Click or to sort the content in either ascending or descending order, respectively.
Under Role name, select Threat Analyst.
In the Threat Analyst detail pane, in the Overview tab, you can view a list of permissions granted to the role.

Basic permission set for the user role

Sender automation role	Receiver automation role	Required	Notes
read configurations read content-blocks read content-types read destinations read entities read extracts read intel-sets *read outgoing-feeds* read sources read taxii-services read transports	read configurations read content-blocks read content-types read destinations read entities read extracts *read incoming-feeds* read intel-sets read sources read taxii-services read transports	Yes	Different permissions between sender and receiver automation roles are highlighted in bold.
*modify incoming-feeds* *modify taxii-services*		See notes	The sender automation user role must have also these permissions if: A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed TAXII inbox incoming feed setup. A TAXII inbox outgoing feed uses Basic authentication.
	*modify outgoing-feeds*	See notes	The receiver automation user role must have also this permission if: A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed TAXII inbox incoming feed setup. A TAXII inbox incoming feed uses Basic authentication.

Configure the incoming feed

Assign permissions to the user role

Basic permission set for the user role

See also