Incoming feed - TAXII inbox
This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.
|
Specifications |
Transport type |
TAXII inbox |
Content type |
|
Ingested data |
Structured STIX packages. |
Processed data |
Structured, STIX-compliant entities. |
Description |
Retrieve and process information from specific data sources supporting the TAXII inbox transport type. |
Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform system settings.
TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.
Assign unique names to TAXII feeds: TAXII inbox and TAXII poll feeds in the platform, both incoming and outgoing, must have unique names.
Configure the incoming feed
Create or edit an incoming feed.
From the Transport type drop-down menu, select TAXII inbox.
From the Content type drop-down menu, select the appropriate content type for the data you want to ingest through the incoming feed.
The selected content type for the feed should match the actual format of the source data.
This can vary, depending on the intelligence sources you retrieve the data from.Select the Accept password protected archives checkbox to specify a global password to open any archives retrieved through the incoming feed.
If the archives are password-protected, enter it in the Archive password input field.
The specified password acts as a master password, and it is used to try to unlock and access any archives retrieved with the feed.
Supported archive formats:.rar
.tar
.tar.bz2
.tar.gz
.tar.z
.zip
Select the Public checkbox to make the incoming feed available to all platform groups and to all platform users.
Leave it deselected to make the incoming feed available only to specific groups.From the the Authorized groups drop-down menu, select one or more groups to grant them access to the feed.
This option restricts access to the incoming feed only to the selected user groups and to their members.
Authorized groups is only available when the Public checkbox is deselected (default setting).In the Collection name field, enter the name of the TAXII data collection you want to use to consolidate the incoming feed content.
The data collection name can be max. 1024 characters long, and its XML schema must comply with the xsd:anyURI data type.
Example: MalwareDomainList_Hostlist.To store your changes, click Save; to discard them, click Cancel.
Before deleting a group, check that is not an authorized group in an incoming or an outgoing feed configuration.
Deleting a group that is currently selected as an authorized group to access an incoming or an outgoing feed content breaks feed functionality.
If remove such a group:
Remove it from the Authorized groups selection in the relevant incoming and/or outgoing feed(s).
Proceed to delete the group.
Assign permissions to the user role
The designated platform user role to manage TAXII feeds requires read access to specific platform resources:
Resource |
Access level |
Data sources:
|
Read |
Feeds:
|
Read |
TAXII services:
|
Read |
To manage data exchange through a TAXII feed, a platform user needs at least a basic set of permissions.
If the user also interacts with other platform features, such as datasets and workspaces, you can integrate this basic permission set with the default permissions granted to the default Threat Analyst role.
These are non-mandatory guidelines. You may need to fine-tune user permissions based on trial and error, practical experience to best suit your environment and your needs.
To view permissions for the the default Threat Analyst role:
In the side navigation bar click > User management > Roles.
To sort items by column header:Click the header of the column whose content you want to sort.
Click or to sort the content in either ascending or descending order, respectively.
Under Role name, select Threat Analyst.
In the Threat Analyst detail pane, in the Overview tab, you can view a list of permissions granted to the role.
Basic permission set for the user role
Sender automation role |
Receiver automation role |
Required |
Notes |
|
|
Yes |
Different permissions between sender and receiver automation roles are highlighted in bold. |
|
|
See notes |
The sender automation user role must have also these permissions if:
|
|
|
See notes |
The receiver automation user role must have also this permission if:
|