STIX-TAXII

STIX-TAXII#

STIX-TAXII integration allows Scrutinizer to import comprehensive and up-to-date threat intelligence in the industry-standard Structured Threat Information eXchange (STIX) format via the Trusted Automated eXchange of Indicator Information (TAXII) protocol from external systems and organizations. This greatly enhances Scrutinizer’s already robust IP detection capabilities.

Important

STIX-TAXII integration requires additional licensing to enable. Contact Plixer Technical Support to learn more.

Importing STIX files via CLI#

To have Scrutinizer automatically import IP/domain watchlists, download the files in STIX format (v1 or v2) and copy them to the /home/plixer/scrutinizer/files/threats directory on the appliance. The name of the file will also be used as the category.

Important

Domain watchlists are currently only used in AI-based threat detection algorithms and need not be imported for deployments that do not include the Plixer ML Engine.

Note

Scrutinizer supports .stix, .stix1, and .stixv1 extensions for v1 (XML) and .stix2 and .stxv2 extensions for v2 (JSON).

Configuring STIX-TAXII feeds#

To configure a new STIX-TAXII feed in the Scrutinizer web interface, follow these steps:

  1. Navigate to Admin > Integrations > STIX-TAXII, and then click Add to create a new feed.

  2. Fill in the following fields:

  • Feed name

  • API Root (not the Discovery URL)

  • Collection ID

  • Login credentials for the feed

  1. Click Save.

  2. Use the Test button to verify that Scrutinizer can access the feed with the configured settings.

After the feed has successfully been added, Scrutinizer will attempt to pull the lists from the TAXII server every time the host reputation list download service runs.

Once imported, STIX-TAXII threat intelligence will be added to Scrutinizer’s (IP only) and the ML Engine’s (IP and domain) reputation algorithms for alarm and event reporting under their respective alarm policies.

Additional tips#

  • Import IP watchlists only. All other indicators will be ignored but can cause the import of IP indicators to fail.

  • Don’t attempt to import IP watchlists that use complex boolean logic to trigger matches.

  • The feature will ingest only independent IP indicators. It will ignore more complex ones.

Note

A complicated indicator included with more basic ones will not prevent them from being imported.

Contents