STIX-TAXII¶
STIX-TAXII integration allows Plixer Scrutinizer to import comprehensive and up-to-date threat intelligence in the industry-standard Structured Threat Information eXchange (STIX) format via the Trusted Automated eXchange of Indicator Information (TAXII) protocol from external systems and organizations. This greatly enhances Plixer Scrutinizer’s already robust IP detection capabilities.
Important
STIX-TAXII integration requires additional licensing to enable. Contact Plixer Technical Support to learn more.
Importing STIX files via CLI
To have Plixer Scrutinizer automatically import IP/domain watchlists, download the files in STIX format (v1 or v2) and copy them to the /home/plixer/scrutinizer/files/threats
directory on the appliance. The name of the file will also be used as the category.
Important
Domain watchlists are currently only used in AI-based threat detection algorithms and need not be imported for deployments that do not include the Plixer ML Engine.
Note
Plixer Scrutinizer supports .stix
, .stix1
, and .stixv1
extensions for v1 (XML) and .stix2
and .stxv2
extensions for v2 (JSON).
Configuring STIX-TAXII feeds
To configure a new STIX-TAXII feed the Plixer Scrutinizer web interface, follow these steps:
Navigate to Admin > Integrations > STIX-TAXII and click the Add button to create a new feed.
Fill in the following fields:
Feed name
API Root (not the Discovery URL)
Collection ID
Login credentials for the feed
Click the Save button to save the settings.
Use the Test button to verify that Plixer Scrutinizer can access the feed with the configured settings.
After the feed has successfully been added, Plixer Scrutinizer will attempt to pull the lists from the TAXII server every time the host reputation list download service runs.
Once imported, STIX-TAXII threat intelligence will be added to Plixer Scrutinizer’s (IP only) and the Plixer ML Engine’s (IP and domain) reputation algorithms for Alarm and Event reporting under their respective Alarm Policies.
Additional tips
Import IP watchlists only. All other indicators will be ignored but can cause the import of IP indicators to fail.
Don’t attempt to import IP watchlists that use complex boolean logic to trigger matches.
The feature will ingest only independent IP indicators. It will ignore more complex ones.
Note
A complicated indicator included with more basic ones will not prevent them from being imported.