Integrate Trend Threat Intelligence feed content into OpenCTI using the TAXII2 connector. This process uses the Trend Threat Intelligence feed
API which supports the TAXII 2.1 protocol to connect to OpenCTI.
Procedure
- Clone the TAXII2 connector repository.
- Configure environment variables in
docker-compose.yml.Environmental variableDescriptionValueOPENCTI_URLURL of your target OpenCTI instance where the connector sends dataOPENCTI_TOKENAPI token for authenticating the connector with OpenCTICONNECTOR_IDGenerate a random UUID to identify this connector instanceA random UUIDTAXII2_DISCOVERY_URLURL of the TAXII 2.1 threat intelligence feed APIRefer to the regional TAXII feed URL table.TAXII2_INITIAL_HISTORYInitial historical data fetch window in hours when starting the connector for the first timeDefault: 24TAXII2_USE_APIKEYSwitch from using username and password to using a key/value pair as authentication methodtrueTAXII2_APIKEY_KEYAPI key - name of the HTTP headerAuthorizationTAXII2_APIKEY_VALUEThe secret value set as the header valueYour Trend Vision OneAPI token - To filter marking-definition objects during import, use the below environmental variables.
-
Set
TAXII2_IGNORE_OBJECT_TYPEStotrueto exclude specific objects. -
Specify
TAXII2_OBJECT_TYPES_TO_IGNOREwith a comma-separated list of STIX object types to ignore.
OpenCTI uses Traffic Light Protocol (TLP), so TLP displays as expected. -
- Run the following command to ingest the fetched data into OpenCTI through the TAXII2
connector.
$ docker-compose up - Monitor the import status in the OpenCTI web portal at .
- To re-import data from the period defined by
TAXII2_INITIAL_HISTORY, click Reset in the OpenCTI portal.
The following example shows an sample result of a STIX import.
{
"id": "indicator--6d67c97d-34b4-4aac-89d9-84232fb38946",
"type": "indicator",
"spec_version": "2.1",
"created_by_ref": "identity--74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d",
"created": "2024-06-28T03:09:12.806Z",
"modified": "2024-11-11T07:59:53.564Z",
"name": "File SHA1: f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc",
"lang": "en",
"pattern": "[file:hashes.'SHA-1' = 'f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2024-11-11T07:59:53.017Z",
"valid_until": "2025-11-11T07:59:53.017Z",
"object_marking_refs": [
"marking-definition--ce6a3a69-be72-4e80-bfc1-4c6b44f23651", // Copyright
"marking-definition--05972cd1-d8ed-42f3-b104-7770c3787929", // Disclaimer
"marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" // TLP:AMBER
]
}
