STIX-TAXII

STIX-TAXII integration allows Plixer Scrutinizer to import comprehensive and up-to-date threat intelligence in the industry-standard Structured Threat Information eXchange (STIX) format via the Trusted Automated eXchange of Indicator Information (TAXII) protocol from external systems and organizations. This greatly enhances Plixer Scrutinizer’s already robust IP detection capabilities.

Important

STIX-TAXII integration requires additional licensing to enable. Contact Plixer Technical Support to learn more.

Importing STIX files via CLI

To have Plixer Scrutinizer automatically import IP/domain watchlists, download the files in STIX format (v1 or v2) and copy them to the /home/plixer/scrutinizer/files/threats directory on the appliance. The name of the file will also be used as the category.

Important

Domain watchlists are currently only used in AI-based threat detection algorithms and need not be imported for deployments that do not include the Plixer ML Engine.

Note

Plixer Scrutinizer supports .stix, .stix1, and .stixv1 extensions for v1 (XML) and .stix2 and .stxv2 extensions for v2 (JSON).

Configuring STIX-TAXII feeds

To configure a new STIX-TAXII feed the Plixer Scrutinizer web interface, follow these steps:

  1. Navigate to Admin > Integrations > STIX-TAXII and click the Add button to create a new feed.

  2. Fill in the following fields:

  • Feed name

  • API Root (not the Discovery URL)

  • Collection ID

  • Login credentials for the feed

  1. Click the Save button to save the settings.

  2. Use the Test button to verify that Plixer Scrutinizer can access the feed with the configured settings.

After the feed has successfully been added, Plixer Scrutinizer will attempt to pull the lists from the TAXII server every time the host reputation list download service runs.

Once imported, STIX-TAXII threat intelligence will be added to Plixer Scrutinizer’s (IP only) and the Plixer ML Engine’s (IP and domain) reputation algorithms for Alarm and Event reporting under their respective Alarm Policies.

Additional tips

  • Import IP watchlists only. All other indicators will be ignored but can cause the import of IP indicators to fail.

  • Don’t attempt to import IP watchlists that use complex boolean logic to trigger matches.

  • The feature will ingest only independent IP indicators. It will ignore more complex ones.

Note

A complicated indicator included with more basic ones will not prevent them from being imported.