Configure Opentaxii server#

TAXII and TAXII 2.1 feeds hosted by the Intelligence Center (IC) depend on a bundled Opentaxii server.

This is installed by default. It usually runs on EclecticIQ Intelligence Center host as eclecticiq-platform-backend-opentaxii.service.

Configure Opentaxii#

TAXII and TAXII 2.1 feeds are available on EclecticIQ Intelligence Center without further configuration.

To change the default behavior of the provided Opentaxii server:

  1. Modify the configuration file at /etc/eclecticiq/opentaxii.yml.

  2. Restart the opentaxii service. Run as root:

    systemctl restart eclecticiq-platform-backend-opentaxii.service

For more information on Opentaxii configuration, see Opentaxii configuration.

Warning

Do not change auth_api and persistent_api fields. The defaults are set to values that allow the Opentaxii instance to integrate with EclecticIQ Intelligence Center.

Configure TAXII 1 services#

To configure IC TAXII 1 services, sign in on EclecticIQ Intelligence Center and go to Settings Settings > STIX and TAXII > TAXII.

See Configure TAXII.

Unique feed names#

When creating TAXII 1 feeds, you must assign them unique feed names.

Configure TAXII 2 services#

TAXII 2 services are available on EclecticIQ Intelligence Center without further configuration.

Caution

You must include the trailing slash (/) when accessing TAXII 2 endpoints.

By default, EclecticIQ Intelligence Center hosts TAXII 2 services at the following endpoints:

Endpoint

Example URL

Description

/taxii2/

https://ic.example.com/taxii2/

TAXII 2 discovery endpoint

/taxii2/api_root/

https://ic.example.com/taxii2/api_root/

Default API root for all TAXII 2 collections hosted by EclecticIQ Intelligence Center.

Two separate configuration files manage these endpoints:

  • /etc/eclecticiq/opentaxii.yml: Manages /taxii2/ endpoint and overall Opentaxii configuration.

  • /etc/eclecticiq/platform_settings.py: Configuration settings for the TAXII 2.1 server API root (default: /taxii2/api_root/).

Discovery endpoint#

Tip

The discovery endpoint allows unauthenticated access by default. To disallow unauthenticated access, set public_discovery to false.

To configure the TAXII 2 discovery endpoint, as root:

  1. Edit /etc/eclecticiq/opentaxii.yml.

  2. Change values in opentaxii.yml. See the table below for possible values.

  3. Save your changes to opentaxii.yml.

  4. Restart the OpenTaxii service:

    systemctl restart eclecticiq-platform-backend-opentaxii

By default, opentaxii.yml contains the following taxii2 entry:

taxii2:
  persistence_api:
    class: eiq.platform.opentaxii.PlatformTAXII2PersistenceAPI
    parameters:
      default_pagination_limit: 10
      max_pagination_limit: 1000
  title: "EIQ TAXII2 Server"
  # nginx has `client_max_body_size 200m`
  max_content_length: 209715200
  public_discovery: true

Attribute name

Default

Description

taxii2

N/A

Contains configuration for the discovery endpoint (/taxii2/).

persistence_api

 
persistence_api:
  class: eiq.platform.opentaxii.PlatformTAXII2PersistenceAPI
  parameters:
    default_pagination_limit: 10
    max_pagination_limit: 1000

Internal values. Do not change.

title

"EIQ TAXII2 Server"

Title assigned to the discovery service.

max_content_length

209715200

Internal value. Do not change.

public_discovery

true

(Recommended) Set to false to restrict access to the /taxii2/ endpoint.

Users need to authenticate by sending their API key as a Bearer token, or use Basic authentication.

API root endpoint#

Tip

The API root endpoint allows unauthenticated access by default. To disallow unauthenticated access, set TAXII2_API_ROOT["is_public"] to False.

The TAXII 2 API root endpoint (/taxii2/api_root/) is configured through platform_settings.py through the TAXII2_API_ROOT parameter.

To configure TAXII 2 with platform_settings.py, as root:

  1. Edit /etc/eclecticiq/platform_settings.py.

  2. Add or change the TAXII2_API_ROOT attribute.

    This table describes the possible keys and values:

    Attribute name

    Default

    Description

    TAXII2_API_ROOT

    		 
    TAXII2_API_ROOT = {
  "title": "...",
  "description": "...",
  "is_public": True,
}

    Attribute that configures the TAXII 2 API root.

    Keys in this dictionary are described in this table.

    TAXII2_API_ROOT["title"]

    "EIQ TAXII 2.1 api root"

    Title assigned to the API root.

    TAXII2_API_ROOT["description"]

    "The EIQ TAXII 2.1 api root for passive outgoing feeds"

    Description assigned to API root.

    TAXII2_API_ROOT["is_public"]

    True

    (Recommended) Set to False to restrict access to the following endpoints:

    • /taxii2/api_root/

    • /taxii2/api_root/collections/

    Users need to authenticate by sending their API key as a Bearer token, or use Basic authentication.

  3. Save platform_settings.py.

  4. Restart the OpenTaxii service:

    systemctl restart eclecticiq-platform-backend-opentaxii

Collections#

TAXII 2 collections are managed as feeds on EclecticIQ Intelligence Center. See the documentation for individual feeds.