Configure Opentaxii server#
TAXII and TAXII 2.1 feeds hosted by the Intelligence Center (IC) depend on a bundled Opentaxii server.
This is installed by default.
It usually runs on EclecticIQ Intelligence Center host as
eclecticiq-platform-backend-opentaxii.service
.
Configure Opentaxii#
TAXII and TAXII 2.1 feeds are available on EclecticIQ Intelligence Center without further configuration.
To change the default behavior of the provided Opentaxii server:
Modify the configuration file at
/etc/eclecticiq/opentaxii.yml
.Restart the
opentaxii
service. Run as root:systemctl restart eclecticiq-platform-backend-opentaxii.service
For more information on Opentaxii configuration, see Opentaxii configuration.
Warning
Do not change auth_api
and persistent_api
fields.
The defaults are set to values that allow
the Opentaxii instance to integrate with EclecticIQ Intelligence Center.
Configure TAXII 1 services#
To configure EclecticIQ Intelligence Center TAXII 1 services, sign in on EclecticIQ Intelligence Center and go to Settings > STIX and TAXII > TAXII.
See Configure TAXII.
Unique feed names#
When creating TAXII 1 feeds, you must assign them unique feed names.
Configure TAXII 2 services#
TAXII 2 services are available on EclecticIQ Intelligence Center without further configuration.
Caution
You must include the trailing slash
(/
) when accessing
TAXII 2 endpoints.
By default, EclecticIQ Intelligence Center hosts TAXII 2 services at the following endpoints:
Endpoint |
Example URL |
Description |
---|---|---|
|
|
TAXII 2 discovery endpoint |
|
|
Default API root for all TAXII 2 collections hosted by EclecticIQ Intelligence Center. |
Two separate configuration files manage these endpoints:
/etc/eclecticiq/opentaxii.yml
: Manages/taxii2/
endpoint and overall Opentaxii configuration./etc/eclecticiq/platform_settings.py
: Configuration settings for the TAXII 2.1 server API root (default:/taxii2/api_root/
).
Discovery endpoint#
Tip
The discovery endpoint allows unauthenticated
access by default. To disallow unauthenticated
access, set public_discovery
to false
.
To configure the TAXII 2 discovery endpoint, as root:
Edit
/etc/eclecticiq/opentaxii.yml
.Change values in
opentaxii.yml
. See the table below for possible values.Save your changes to
opentaxii.yml
.Restart the OpenTaxii service:
systemctl restart eclecticiq-platform-backend-opentaxii
By default, opentaxii.yml
contains the following taxii2
entry:
taxii2:
persistence_api:
class: eiq.platform.opentaxii.PlatformTAXII2PersistenceAPI
parameters:
default_pagination_limit: 10
max_pagination_limit: 1000
title: "EIQ TAXII2 Server"
# nginx has `client_max_body_size 200m`
max_content_length: 209715200
public_discovery: true
Attribute name |
Default |
Description |
---|---|---|
|
N/A |
Contains configuration for the discovery endpoint ( |
|
persistence_api:
class: eiq.platform.opentaxii.PlatformTAXII2PersistenceAPI
parameters:
default_pagination_limit: 10
max_pagination_limit: 1000
|
Internal values. Do not change. |
|
|
Title assigned to the discovery service. |
|
|
Internal value. Do not change. |
|
|
(Recommended)
Set to Users need to authenticate by sending their API key
as a |
API root endpoint#
Tip
The API root endpoint allows unauthenticated
access by default. To disallow unauthenticated
access, set TAXII2_API_ROOT["is_public"]
to False
.
The TAXII 2 API root endpoint (/taxii2/api_root/
)
is configured through
platform_settings.py
through the TAXII2_API_ROOT
parameter.
To configure TAXII 2 with platform_settings.py
, as root:
Edit
/etc/eclecticiq/platform_settings.py
.Add or change the
TAXII2_API_ROOT
attribute.This table describes the possible keys and values:
Attribute name
Default
Description
TAXII2_API_ROOT
TAXII2_API_ROOT = { "title": "...", "description": "...", "is_public": True, }
Attribute that configures the TAXII 2 API root.
Keys in this dictionary are described in this table.
TAXII2_API_ROOT["title"]
"EIQ TAXII 2.1 api root"
Title assigned to the API root.
TAXII2_API_ROOT["description"]
"The EIQ TAXII 2.1 api root for passive outgoing feeds"
Description assigned to API root.
TAXII2_API_ROOT["is_public"]
True
(Recommended) Set to
False
to restrict access to the following endpoints:/taxii2/api_root/
/taxii2/api_root/collections/
Users need to authenticate by sending their API key as a
Bearer
token, or use Basic authentication.Save
platform_settings.py
.Restart the OpenTaxii service:
systemctl restart eclecticiq-platform-backend-opentaxii
Collections#
TAXII 2 collections are managed as feeds on EclecticIQ Intelligence Center. See the documentation for individual feeds.