Create a TAXII outgoing feed#
To exchange data between two platform instances configure:
A TAXII inbox or a TAXII poll feed (outgoing -> incoming).
A TAXII data feed collection both platform instances can access to:
Make data available (Alice, the publishing platform instance).
Retrieve data (Barbara, the recipient platform instance).
An EclecticIQ JSON content type for both the outgoing and the incoming feeds.
In the publishing platform instance (Alice) configure either a TAXII inbox outgoing feed, or a TAXII poll outgoing feed.
Note
About transport
Both platform instances must exchange data through the same TAXII transport protocol service: either TAXII inbox or TAXII poll.
About content
Although TAXII feed configurations make available more than one content type for the incoming and the outgoing feeds, platform to platform data exchange officially supports only EclecticIQ JSON as a valid data exchange content type.
Regardless of Alice’s outgoing and Barbara’s incoming feeds using either the TAXII inbox or the TAXII poll transport types, they both need to publish data to and retrieve data from the same TAXII collection:
Alice (publisher) should publish content through a TAXII outgoing feed and a specified Collection name – for a TAXII poll transport type – or a Destination collection name – for a TAXII inbox transport type.
Barbara (recipient) should ingest content through a TAXII incoming feed, and it should ingest from or poll the same Collection name specified under Collection name or Destination collection name in Alice’s TAXII outgoing feed configuration.
About user access control and permissions
Set the automation user and, where applicable, group you created as the user and the authorized group that are granted access to the feed.
Specify the automation user’s user name and password in the corresponding feed configuration fields.
If you enable basic authentication, make sure the automation role has the required additional permissions.
Create a TAXII inbox outgoing feed#
Set up and configure transport and content types for TAXII inbox outgoing feeds to publish selected platform data through the TAXII inbox service.
To configure the general options for TAXII inbox outgoing feeds, see Configure the general options and the other relevant child articles under Outgoing feeds.
Note
Assign unique names to TAXII feeds: TAXII inbox and TAXII poll incoming and outgoing feeds in the platform should all have unique names.
Configure the transport type#
Note
Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform_settings.py.
TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.
The TAXII inbox transport type for outgoing feeds publishes data in the supported content types through the TAXII inbox service:
From the Transport type drop-down menu, select TAXII inbox.
Under Transport configuration, set the following transport options for the feed:
Auto Discovery: enter the URL pointing to a TAXII discovery service.
Feed consumers can send a request to the discovery service to obtain a list of the available TAXII services they can access and poll for content updates.
Example: http://hailataxii.com/taxii-discovery-service
Inbox service URL: enter the URL pointing to the location of the TAXII data collections available through the TAXII inbox service.
Example: https://example.com/taxii-inbox
Destination collection name: enter an existing collection name as the target container for the outgoing feed data.
Example: collection.Default
TAXII version: select the TAXII version your system supports:
EclecticIQ authentication URL: enter the URL pointing to the EclecticIQ Platform instance, including the endpoint that takes the user name and password inputs to send them to the authentication mechanism.
Example: https://${platform_host_name}/api/auth
Basic authentication: if the data source TAXII server requires basic authentication to access the corresponding TAXII services, select this checkbox to fill out the required information.
Username: enter a valid user name to authenticate and be granted the necessary authorization to access the location of the outgoing feed content.
Password: enter a valid password to authenticate and be granted the necessary authorization to access the location of the outgoing feed content.
SSL certificate authentication: if the TAXII server requires an SSL certificate to authenticate and to authorize access to the corresponding TAXII services, select this checkbox to fill out the required information.
SSL certificate: copy-paste the content of a valid SSL certificate to authenticate.
SSL certificate file format: .pem
Example:
-----BEGIN CERTIFICATE REQUEST----- MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c 1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/ ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn 29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2 97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w= -----END CERTIFICATE REQUEST-----
SSL key: copy-paste the content of a valid SSL key to authenticate.
SSL key file format: .pem
Example:
-----BEGIN RSA PRIVATE KEY----- MIIEpQIBAAKCAQEA3Tz2mr7SZiAMfQyuvBjM9Oi..Z1BjP5CE/Wm/Rr500P RK+Lh9x5eJPo5CAZ3/ANBE0sTK0ZsDGMak2m1g7..3VHqIxFTz0Ta1d+NAj wnLe4nOb7/eEJbDPkk05ShhBrJGBKKxb8n104o/..PdzbFMIyNjJzBM2o5y 5A13wiLitEO7nco2WfyYkQzaxCw0AwzlkVHiIyC..71pSzkv6sv+4IDMbT/ XpCo8L6wTarzrywnQsh+etLD6FtTjYbbrvZ8RQM..Hg2qxraAV++HNBYmNW kbJ+q+rsJxQlaipn2M4lGuQJEfIxELFDyd3XpxP..Un/82NZNXlPmRIopXs 2T91jiLZEUKQw+n73j26adTbteuEaPGSrTZxBLR..yssO0wWomUyILqVeti +PK+aXKwguI6bxLGZ3of0UH+mGsSl0mkp7kYZCm..OTQtfeRqP8rDSC7DgA kHc5ajYqh04AzNFaxjRo+M3IGICUaOdKnXd0Fda..QwfoaX4QlRTgLqb7AN ZTzM9WbmnYoXrx17kZlT3lsCgYEAm757XI3WJVj..WoLj1+v48WyoxZpcai uv9bT4Cj+lXRS+gdKHK+SH7J3x2CRHVS+WH/SVC..DxuybvebDoT0TkKiCj BWQaGzCaJqZa+POHK0klvS+9ln0/6k539p95tfX..X4TCzbVG6+gJiX0ysz Yfehn5MCgYEAkMiKuWHCsVyCab3RUf6XA9gd3qY..fCTIGtS1tR5PgFIV+G engiVoWc/hkj8SBHZz1n1xLN7KDf8ySU06MDggB..hJ+gXJKy+gf3mF5Kmj DtkpjGHQzPF6vOe907y5NQLvVFGXUq/FIJZxB8k..fJdHEm2M4= -----END RSA PRIVATE KEY-----
SSL key password: enter the SSL password or passphrase for the SSL key.
This field is masked.
SSL verification: if the TAXII server requires an SSL certificate to authenticate and to access its TAXII services, you can Select this checkbox to test the SSL connection and to verify that it works as expected.
SSL CA bundle file path: enter the path to the CA bundle file containing the root, intermediate, and public certificates for SSL authentication.
The SSL CA bundle specified here is part of the server certificate validation chain.
SSL CA bundle file format: .ca-bundle
To store your changes, select Save; to discard them, select Cancel.
To access additional save options, select the down arrow
on the
Save button:Select Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
For example, a new dataset, feed, policy, rule, task, or workspace.
Select Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.
Create a TAXII poll outgoing feed#
To configure the general options for TAXII inbox outgoing feeds, see Configure the general options and the other relevant child articles under Outgoing feeds.
Note
Assign unique names to TAXII feeds: TAXII inbox and TAXII poll incoming and outgoing feeds in the platform should all have unique names.
Configure the transport type#
Note
Before configuring a TAXII transport type for an incoming or an outgoing feed, make sure that the appropriate TAXII service is correctly configured in the platform_settings.py.
TAXII inbox and TAXII poll transport types require Cabby.
For more information, see official Cabby documentation, the Cabby public repo on GitHub, and the Cabby download page.
The TAXII poll transport type for outgoing feeds publishes data in the supported content types through the TAXII poll service:
Create an outgoing feed.
From the Transport type drop-down menu, select TAXII poll.
Select the Public checkbox to make the outgoing feed available to all platform groups and to all platform users.
Leave it deselected to make the outgoing feed available only to specific groups.
You can select the intended recipient groups in Authorized groups.
Default value: deselected
From the Authorized groups drop-down menu, select one or more groups to grant them access to the feed.
This option restricts access to the outgoing feed only to the selected user groups and to their members.
Authorized groups is only available when Public is deselected (default setting).
In the Collection name field, enter the name of the TAXII data collection you want to use to consolidate the outgoing feed content.
The data collection name can be max. 1024 characters long, and its XML schema should comply with the xsd:anyURI data type.
Example: MalwareDomainList_Hostlist
Configure the content type#
From the Content type drop-down menu, select EclecticIQ JSON as the appropriate content type for the data you want to exchange between the two platform instances.
The selected content type needs to match the actual format of the source/input data.
From the Datasets drop-down menu, select one or more existing datasets to use as sources to populate the outgoing feed content.
For the feed not to be empty, at least one selected dataset should contain entities and observables in the same format as the configured content type for the feed.
From the Update strategy drop-down menu, select the preferred method to populate the outgoing feed with data before publishing it:
Note
For more information about update strategies, see Create and configure outgoing feeds
The EclecticIQ JSON content type is suitable for machine consumption.
For example, you can use EclecticIQ JSON as a content type in a IC-to-IC data exchange setup.
Under Content configuration, set the EclecticIQ JSON content type option:
Select the Override producer checkbox to replace the value defining the identity of the original producer of the data with the producer name defined for the platform.
To find this value, select Settings
> STIX and TAXII > STIX > Add STIX settings >Producer.Leave it deselected to include the identity of the original producer of the information.
This setting affects the
data.producer.identity.namevalue in the entity JSON entity data structure:{ "data": { "producer": { "type": "information-source", "identity": { "type": "identity" "name": "${producer_identity}", // ex.:'EclecticIQ' } } } }