The Structured Threat Information eXchange (STIX) is an industry-standard file format for the exchange of threat information between organizations and platforms. The Trusted Automated eXchange of Indicator Information (TAXII)is a protocol that allows the transmission of threat information, primarily in STIX format, between systems and organizations. Importing threat intelligence information, such as IP indicators, in STIX format, via the TAXII protocol from a remote source, enhances Plixer Scrutinizer’s existing IP detection capabilities.
Additional licensing is required for this feature. Contact Plixer support for assistance.
Setting up STIX imports via CLI¶
To configure the STIX import, collect IP or domain watchlists in the STIX format (v1 or v2).The name of the file will become the category. Place the files into the /home/plixer/scrutinizer/files/threats directory so that the application will automatically import them.
Plixer Scrutinizer supports .stix, .stix1 or .stixv1 as the extension for v1 (XML) or .stix2 or .stxv2 for v2 (JSON).
Configuring STIX-TAXII feeds¶
- Navigate to the Admin>Settings>STIX-TAXII page and click the Add button to create a new feed.
- Fill out the following fields:
- the Feed Name;
- the API Root (NOT the Discovery URL);
- the Collection ID;
- the username and password.
- Save the entry.
- Use the Test button to confirm the Scrutinizer user can access the feed.
- After you complete the setup, Plixer Scrutinizer will attempt to pull the lists from the TAXII server every time the process of downloading hostreputation lists runs. Alerting should happen automatically.
- Import IP watchlists only. All other indicators will be ignored but can cause the import of IP indicators to fail.
- Don’t attempt to import IP watchlists that use complex boolean logic to trigger matches.
- The feature will ingest only independent IP indicators. It will ignore more complex ones.
A complicated indicator included with more basic ones will not prevent them from being imported.