Configure a TAXII Connection Configuration File
In addition to the Extractor configuration file, this TAXII loader requires a configuration file describing the connection information to the TAXII server.
-
Log in as root to the host on which Metron is installed.
sudo -s $METRON_HOME
-
Create a connection configuration file called
threatintel_connection_config_temp.json
at$METRON_HOME/config
and populate it with the threat intelligence source schema:{ "endpoint" : "http://localhost:9000/services/discovery" ,"username" : "guest" ,"password" : "guest" ,"type" : "DISCOVER" ,"collection" : "guest.MalwareDomainList_Hostlist" ,"table" : "threatintel" ,"columnFamily" : "t" ,"allowedIndicatorTypes" : [ "domainname:FQDN", "address:IPV_4_ADDR" ] }
where:
- endpoint
-
The URL of the endpoint
- type
-
POLL
orDISCOVER
depending on the endpoint. - collection
-
The Taxii collection to ingest
- table
-
The HBase table to import into
- columnFamily
-
The column family to import into
- allowedIndicatorTypes
-
an array of acceptable threat intelligence types (see the "Enrichment Type Name" column of the Stix table above for the possibilities).
The parameters for the utility are as follows:
Short Code Long Code Is Required? Description -h No Generate the help screen/set of options -e --extractor_config Yes JSON Document describing the extractor for this input data source -c --taxii_connection_config Yes The JSON config file to configure the connection -p --time_between_polls No The time between polling the Taxii server in milliseconds. (default: 1 hour) -b --begin_time No Start time to poll the Taxii server (all data from that point will be gathered in the first pull). The format for the date is yyyy-MM-dd HH:mm:ss -l --log4j No The Log4j Properties to load -n --enrichment_config No The JSON document describing the enrichments to configure. Unlike other loaders, this is run first if specified. -
Remove any non-ASCII invisible characters that might have been included if you
copy and pasted:
iconv -c -f utf-8 -t ascii threatintel_extractor_config_temp.json -o threatintel_extractor_config.json