Runbook Enriching with Threat Intelligence Information
Also available as:
PDF

Configure a TAXII Connection Configuration File

In addition to the Extractor configuration file, this TAXII loader requires a configuration file describing the connection information to the TAXII server.

  1. Log in as root to the host on which Metron is installed.
    sudo -s $METRON_HOME
  2. Create a connection configuration file called threatintel_connection_config_temp.json at $METRON_HOME/config and populate it with the threat intelligence source schema:
    {
      "endpoint" : "http://localhost:9000/services/discovery"
      ,"username" : "guest"
      ,"password" : "guest"
      ,"type" : "DISCOVER"
      ,"collection" : "guest.MalwareDomainList_Hostlist"
      ,"table" : "threatintel"
      ,"columnFamily" : "t"
      ,"allowedIndicatorTypes" : [ "domainname:FQDN", "address:IPV_4_ADDR" ]
    }

    where:

    endpoint

    The URL of the endpoint

    type

    POLL or DISCOVER depending on the endpoint.

    collection

    The Taxii collection to ingest

    table

    The HBase table to import into

    columnFamily

    The column family to import into

    allowedIndicatorTypes

    an array of acceptable threat intelligence types (see the "Enrichment Type Name" column of the Stix table above for the possibilities).

    The parameters for the utility are as follows:

    Short Code Long Code Is Required? Description
    -h No Generate the help screen/set of options
    -e --extractor_config Yes JSON Document describing the extractor for this input data source
    -c --taxii_connection_config Yes The JSON config file to configure the connection
    -p --time_between_polls No The time between polling the Taxii server in milliseconds. (default: 1 hour)
    -b --begin_time No Start time to poll the Taxii server (all data from that point will be gathered in the first pull). The format for the date is yyyy-MM-dd HH:mm:ss
    -l --log4j No The Log4j Properties to load
    -n --enrichment_config No The JSON document describing the enrichments to configure. Unlike other loaders, this is run first if specified.
  3. Remove any non-ASCII invisible characters that might have been included if you copy and pasted:
    iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json