Incoming feed - TAXII 2.1 poll

This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.

	Specifications
Transport type	TAXII 2.1 poll
Content type	STIX 2.1
Ingested data	IOC indicators in structured STIX 2.1 format. Future releases will support also other STIX 2.1. SDOs and SROs.
Processed data	Indicators in structured STIX 2.1 format. Future releases will support also other STIX 2.1. SDOs and SROs.
Description	Set up and configure transport and content types for TAXII 2.1 poll incoming feeds to retrieve and to process information from specific data sources supporting the TAXII 2.1 poll transport type. To configure common options for TAXII 2.1 poll incoming feeds, see Configure the general options and other relevant articles under Incoming feeds.

Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform system settings.

TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.

Assign unique names to TAXII feeds: TAXII inbox and TAXII poll feeds in the platform, both incoming and outgoing, must have unique names.

Configure the incoming feed

Create or edit an incoming feed.
From the Transport type drop-down menu select TAXII 2.1 poll.
From the Content type drop-down menu select STIX 2.1.
In the Auto Discovery input field enter the URL pointing to a TAXII 2.1 discovery service.
Feed consumers can send a request to the TAXII 2.1. discovery service to obtain a list of the available TAXII 2.1 services that they can access and poll for content updates.
Example: https://hailataxii.com/taxii2/
The endpoint that exposes the TAXII 2.1. discovery service is /taxii2.
After selecting a TAXII 2.1 collection from the TAXII discovery list of the available collections, the API Root URL is automatically populated with the base URL of the TAXII 2.1 channel and collections you want to obtain data from.
Alternatively, fill out the field by entering the base URL of the API exposing the TAXII 2.1. services you want to use as data source for the feed.
Example: https://example.taxii2.root-url.com/api/v2/taxii-server/
After selecting a TAXII 2.1 collection from the TAXII discovery list of the available collections, the Collection ID is automatically populated with the ID of the collection you selected.
Alternatively, fill out the field by entering the ID of the collection you selected in the TAXII discovery list.
The collection ID is used in subsequent requests to poll the service and to receive content from the selected collection.
Example: d6578f43-f9d7-12f5-6kjj-s6df49535657
Click the Added after field to display a drop-down calendar to select an initial date to fetch content from the TAXII data source starting from a specific date in the past.
To set also a specific time, click the time information in the Added after field to adjust hours and minutes as needed.
- The ingestion date you specify here refers to package timestamps. It does not refer to entity timestamps. Entities in a package can have different, older, timestamps.
- The first time you run the feed, it ingests data starting from the specified date in the past.
  Subsequent runs start incrementally from the time of the previous feed run.
  If you do not specify any start date, the feed defaults to ingesting data from January 1st, 1970.
In the Objects per run (max) field specify the maximum amount of STIX 2.1 objects – STIX domain objects (SDOs) and STIX relationship objects (SROs) – that the feed can retrieve in a single run.
Default value:100
In the Username field, enter a valid user name to authenticate and be granted the necessary authorization to access the data source of the incoming feed.
In the Password field, enter a valid password to authenticate and be granted the necessary authorization to access the data source of the incoming feed.
To specify the TAXII 2.1 required HTTP headers to include in the request:
1. Click Add or More to insert new rows or input fields, as necessary, where you can enter additional HTTP header names and corresponding value pairs.
  TAXII 2.1 requires passing the following HTTP header with each request: Accept: application/taxii+json;version=2.1
2. In the left input field, enter the HTTP header name: Accept
3. In the right input field, enter the HTTP header value: application/taxii+json;version=2.1
  To remove an entry from this section, click the cross icon corresponding to the item you want to remove.
To store your changes, click Save; to discard them, click Cancel.
To access additional save options, click the down arrow on the Save button:
- Save and run: saves the current configuration for the feed, and it executes is right away.
  The feed task to ingest (incoming feeds) or to disseminate (outgoing feeds) intelligence executes and runs immediately after successfully saving the feed configuration.
- Save and new: saves the current configuration for the feed, and it opens a new empty form to start configuring a new feed.
- Save and duplicate: saves the current configuration for the feed, and it opens a new prepopulated copy of the same feed configuration, which you can use as a blueprint/template to speed up manual work.

Assign permissions to the user role

The designated platform user role to manage TAXII feeds requires read access to specific platform resources:

Resource	Access level
Data sources: Incoming feeds Groups	Read
Feeds: Incoming feeds Outgoing feeds	Read
TAXII services: Discovery Collection Inbox Poll	Read

To manage data exchange through a TAXII feed, a platform user needs at least a basic set of permissions.
If the user also interacts with other platform features, such as datasets and workspaces, you can integrate this basic permission set with the default permissions granted to the default Threat Analyst role.

These are non-mandatory guidelines. You may need to fine-tune user permissions based on trial and error, practical experience to best suit your environment and your needs.

To view permissions for the the default Threat Analyst role:

In the side navigation bar click > User management > Roles.
To sort items by column header:
1. Click the header of the column whose content you want to sort.
2. Click or to sort the content in either ascending or descending order, respectively.
Under Role name, select Threat Analyst.
In the Threat Analyst detail pane, in the Overview tab, you can view a list of permissions granted to the role.

Basic permission set for the user role

Sender automation role	Receiver automation role	Required	Notes
read configurations read content-blocks read content-types read destinations read entities read extracts read intel-sets *read outgoing-feeds* read sources read taxii-services read transports	read configurations read content-blocks read content-types read destinations read entities read extracts *read incoming-feeds* read intel-sets read sources read taxii-services read transports	Yes	Different permissions between sender and receiver automation roles are highlighted in bold.
*modify incoming-feeds* *modify taxii-services*		See notes	The sender automation user role must have also these permissions if: A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed TAXII inbox incoming feed setup. A TAXII inbox outgoing feed uses Basic authentication.
	*modify outgoing-feeds*	See notes	The receiver automation user role must have also this permission if: A platform-to-platform data exchange implementation uses a TAXII inbox outgoing feed TAXII inbox incoming feed setup. A TAXII inbox incoming feed uses Basic authentication.

Configure the incoming feed

Assign permissions to the user role

Basic permission set for the user role

See also