Subscribing to TAXII 2 Data (JSON)

With version 2 of TAXII and STIX now available and at a mature state, DarkLight now comes with added support for TAXII 2.0 and STIX 2.X. With the new client implementation, users are able to receive threat intelligence from DarkLight's internal TAXII 2 client and send the STIX 2 bundles through the pipeline for reification into your contextual knowledge store.

With TAXII 2's restful implementation, we were able to simplify the configuration process for users by reducing the number of configurable components down from our TAXII 1 client configuration to the Collection level.

A. The left pane is a filterable alphabetical list of server configured in DarkLight. Choose an item from the list to load its configuration details into the right column.

B. Use the Name field to change the name of the configuration in the list. The other information is provided by the TAXII 2 server.

C. This list contains the title of the API root and the roots URL endpoint. Each root gives access to a number of collections that can be used to request STIX 2 data. Choose an API Root to display the collections for that root in the next section.

D. The available collections for the selected API root shows the title of the collection, whether or not your account can read or write to that collection, and the URL endpoint.

Click on a collection title in the list to show the Filter Parameters that can be specified for the collection.

When you have configured the collection and have a playbook with a Taxii2 ingest step ready to receive data, click the Use checkbox to start data flowing in.

E. Each collection in the configuration contains filter parameters for requesting STIX data from the server (see below for details)

  1. Click the "Taxi+" icon in the toolbar
  2. Enter the TAXII 2 server URL
  3. (Optional) Click the "Authorization" checkbox if credentials are required
    1. Enter the credentials for Authorization to the server
  4. Click the "Discover" button
    1. If the discovery was successful, another dialog should appear with the server's information with a list of available Root API's from that server
    2. If the discovery was unsuccessful, another dialog should appear with the general error information from the server
  5. If successful, click "Save" for the server configuration to be created

At this time, the DarkLight will interrogate the TAXII 2 server and gather the available API and Collection information.

Options for Collections

Once you have made a connection to the server, click on the name of the configuration in the left column. Choose an API Root to show the Collections. Click on the title (not the checkbox) of a collection to change the options.

  • Begin Timestamp: This defines the lower time bound for the request. This is a required field, so if it is empty then it will be auto populated with the default date time. This field supports ISO date time formatting.
  • End Timestamp: This defines the upper time bound for the request. This is an optional field. If no end timestamp is given, then DarkLight will monitor and periodically check for newly posted data to the server. Otherwise, a valid timestamp will tell DarkLight to not monitor the server for newly posted data.
  • IDs: If you only want to retrieve specific STIX data, you can list the ID's of that data, comma separating each ID. Note that regardless of the end timestamp field being present or not, DarkLight will only gather the requested ID's and end its process.
  • Types: This is another optional comma separated list of STIX types that you want to retrieve. Common types include identifier, killchainphase,external-reference, etc. See the STIX2 specification for the complete list.
  • Version: This enumeration tells the server which versions of the STIX object you want.
    • all: Request for all versions of the STIX object(s).
    • first: Request the first published version of the STIX object(s).
    • last: Request the last published version of the STIX objects(s).

Activating a Configured Collection

When you are ready to start data flowing into DarkLight from the server, check the Use box. Note that if you do not have any playbooks with a Taxii2 Ingest step, the data will enter the DarkLight data queue and then be dropped.

If you need to start the flow of data over again, uncheck the Use box, make sure the Begin Timestamp is correct, and check the Use box. When data has been received from a collection, the Begin Timestamp will be automatically updated to the current date and time. This prevents data that has already been processed from downloading each time DarkLight starts up.

To try out the Taxii 2 View, use the following settings:

1. Taxii 2 Configuration

  • Server URL: https://limo.anomali.com/taxii/
  • Name: guest
  • Password: guest
  • API Root: TAXII feeds
  • Collection: Phish Tank (Set Begin Timestamp to something after 2017-10-01)
  • (Don't click the Use checkbox just yet)

2. Import DarkLight Assets

3. Activate the Playbook

  • Find the "Taxii Indicator Publisher" playbook in your Playbook Manager view and make sure it has a checkmark next to it.
  • In the Taxii 2 Configuration view, check the Use box next to Phish Tank.
  • Data should start to flow from the anomali server and you'll see Indicators show up in Contextual Memory on the Review Perspective. You'll also see a Collection called "Indicators" show up in the Collection Manager.
  • help/taxii2
  • Last modified: 2018/11/12 21:06