Outgoing feed - TAXII 2.1 poll
This article describes how to configure outgoing feeds for a particular feed source. To see how to configure outgoing feeds in general, see Configure outgoing feeds general options.
|
|
Specifications |
|
Transport type |
TAXII 2.1 poll |
|
Content type |
STIX 2.1 |
|
Published data |
For more information on STIX 2.1 support, see STIX 2.1 documentation. |
Overview
This outgoing feed packs entities from a given list of datasets into STIX 2.1 objects and distributes them through a TAXII 2.1 collection.
These objects can then be retrieved from the IC from https://{ic_url}/taxii2/collections/{collection_id}/ or with a TAXII 2.1 client.
You can configure the Intelligence Center (IC) to act as a TAXII 2 poll service.
To do this:
(Optional) Configure the TAXII 2 server.
By default, the TAXII 2 server bundled with the IC will work out of the box. However, you may want to modify its configuration to customize certain endpoints and restrict access to them.
Requirements
EclecticIQ Intelligence Center 2.13.0 and newer.
Configure TAXII 2 server
You must edit configuration files on the IC host to configure the TAXII 2 server bundled with the IC.
There are two configuration files used to manage the TAXII 2.1 server configuration:
/etc/eclecticiq/opentaxii.yml: Configuration settings for the overall TAXII 2.1 server. Manages /taxii2/ endpoint.
/etc/eclecticiq/platform_settings.py: Configuration settings for the TAXII 2.1 server API root.
opentaxii.yml configuration
opentaxii.yml is only used to configure the TAXII 2 discovery endpoint (/taxii2/) on the IC.
Configuration the following endpoints are set elsewhere:
/taxii2/api_root: Configured in platform_settings.py
/taxii2/api_root/collections/{id}/: Configured by their respective outgoing feed configurations on the IC. Go to Data configuration
> Outgoing feeds.
To configure the TAXII 2 discovery endpoint, as root:
Edit /etc/eclecticiq/opentaxii.yml.
Change values in opentaxii.yml. See the table below for possible values.
Save your changes to opentaxii.yml.
Restart the OpenTaxii service:
systemctl restart eclecticiq-platform-backend-opentaxii
By default, opentaxii.yml contains the following taxii2 entry:
taxii2:
persistence_api:
class: eiq.platform.opentaxii.PlatformTAXII2PersistenceAPI
parameters:
default_pagination_limit: 10
max_pagination_limit: 1000
title: "EIQ TAXII2 Server"
# nginx has `client_max_body_size 200m`
max_content_length: 209715200
public_discovery: true|
Attribute name |
Default |
Description |
|
taxii2 |
N/A |
Contains configuration for the TAXII 2 discovery endpoint (/taxii2/). |
|
persistence_api |
|
Internal values. Do not change. |
|
title |
"EIQ TAXII2 Server" |
Title assigned to TAXII 2 discovery service. |
|
max_content_length |
209715200 |
Internal value. Do not change. |
|
public_discovery |
true |
(Recommended) Set to false to restrict access to the /taxii2/ endpoint. Users need to authenticate by sending their API key as a Bearer token, or use Basic authentication. |
platform_settings.py configuration
The TAXII 2 API root endpoint (/taxii2/api_root) is configured through platform_settings.py through the TAXII2_API_ROOT parameter.
Configuration the following endpoints are set elsewhere:
/taxii2/: Configured in opentaxii.yml
/taxii2/api_root/collections/{id}/: Configured by their respective outgoing feed configurations on the IC. Go to Data configuration
> Outgoing feeds.
To configure TAXII 2 with platform_settings.py, as root:
Edit /etc/eclecticiq/platform_settings.py.
Add or change the TAXII2_API_ROOT attribute.
This table describes the possible keys and values:
Attribute name
Default
Description
TAXII2_API_ROOT
TAXII2_API_ROOT={"title":"...","description":"...","is_public":True,}Attribute that configures the TAXII 2 API root.
Keys in this dictionary are described in this table.
TAXII2_API_ROOT["title"]
"EIQ TAXII 2.1 api root"
Title assigned to the API root.
TAXII2_API_ROOT["description"]
"The EIQ TAXII 2.1 api root for passive outgoing feeds"
Description assigned to API root.
TAXII2_API_ROOT["is_public"]
True
(Recommended) Set to False to restrict access to the following endpoints:
/taxii2/api_root/
/taxii2/api_root/collections/
Users need to authenticate by sending their API key as a Bearer token, or use Basic authentication.
Save platform_settings.py.
Restart the OpenTaxii service:
systemctl restart eclecticiq-platform-backend-opentaxii
Configure the outgoing feed
Create or edit an outgoing feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select TAXII 2.1 poll from the drop-down menu.
Content type*
Select STIX 2.1 from the drop-down menu.
Datasets*
Select one or more existing datasets from the drop-down menu.
Update strategy*
Select an update strategy.
Supported update strategies:
APPEND
REPLACE
TLS verification
Selected by default.
Processing > Observable and Enrichment Observable types > Observable types
If your selected dataset(s) include indicator entities that do not have a STIX 2.1-compatible test mechanism defined, you must include observable types here.
See Pack indicator entities below for more information.
Store your changes by selecting Save.
Pack indicator entities
Most EclecticIQ indicators can be packed as STIX 2.1 Indicator SDOs without further configuration. However, there are certain cases where EclecticIQ indicator entities may be dropped by an outgoing feed.
Currently, EclecticIQ indicator entities must have at least one of the following in order for them to be packed as STIX 2.1 Indicator SDOs by outgoing feeds:
A test mechanism, with one of the following types:
Generic
SNORT
YARA
A related observable with one of the supported SCO types.
If your EclecticIQ indicator entity only has related observables and no test mechanism, you must include the related observable types in your outgoing feed configuration’s Observable and Enrichment Observable types > Observable types field.
For more information about the STIX 2.1 Indicator SDO and how EclecticIQ indicator entities are mapped to and from it, see the STIX 2.1 documentation.