This document explains how to configure and use the Anomali ThreatStream TAXII client to collect Indicators of Compromise (IOC) data from the TruSTAR TAXII server and make that data available for analysis in ThreatStream.
- TruSTAR TAXII Server
- TAXII FAQ
- Creating a Service Account, TruSTAR's TAXII server accesses all enclaves that your API keys can access. Having a Service Account enables you to customize access by enclave and it also mitigates the risk of resetting API keys. For more information on customizing enclave access, see the TAXII FAQ document.
- Anomali ThreatStream
- Access to your TruSTAR API Key and API Secret.
Configuring the TAXII Client
- Navigate to Settings/TAXII and then click the TAXII Feeds tab.
- Click Actions and select New TAXII Feed.
- Select the options for the new feed:
- Name for the TAXII Feed.
- Expiration date. TruSTAR recommends using the default value of 90 days.
- Whether to override the system confidence or not. If you check this option, set the confidence level. TruSTAR recommends using the default setting (unchecked).
- Navigate back to Settings/TAXII and click the Sites tab.
- Click Actions and select Add Site.
- Fill in the fields in the new site dialog box:
- Descriptive Name: Enter a the feed name. TruSTAR recommends including TruSTAR in the name so that you can easily remember the feed source; for example, use TruStar - CLA.
- Discovery URL: Enter this URL: https://taxii.trustar.co/services/discovery
- Authentication: Select Basic Authentication.
- Username: Enter your TruStar API Key.
- Password: Enter your TruStar API Secret.
- Click Add Site to create the new site. The new site appears on the Sites tab.
- Select the checkbox to the left of the site you just created, then [...] to configure it. This opens the settings for that site.
- Confirm that DISCOVERY OK is selected in the Discovery box.
- Click Configure under the collection name to access the feed configuration dialog.
- In the Feed Configuration dialog, enter this information:
- Leave Subscription ID empty
- Select an Interval for how often to poll
- Select the date and time you want the poll to start
- Click Save and Run Now to complete the configuration process.
If you do not see the Poll Collections tab after you have completed the configuration, check on the ThreatStream User Admin/Users page that the the user has been granted the Import to TAXII Feeds permission.