Integrate Trend Threat Intelligence feed content into OpenCTI using the TAXII2 connector. This process uses the Trend Threat Intelligence feed
API which supports the TAXII 2.1 protocol to connect to OpenCTI.
Procedure
- Clone the TAXII2 connector repository.
- Configure environment variables in
docker-compose.yml
.Environmental variableDescriptionValueOPENCTI_URL
URL of your target OpenCTI instance where the connector sends dataOPENCTI_TOKEN
API token for authenticating the connector with OpenCTICONNECTOR_ID
Generate a random UUID to identify this connector instanceA random UUIDTAXII2_DISCOVERY_URL
URL of the TAXII 2.1 threat intelligence feed APIRefer to the regional TAXII feed URL table.TAXII2_INITIAL_HISTORY
Initial historical data fetch window in hours when starting the connector for the first timeDefault: 24TAXII2_USE_APIKEY
Switch from using username and password to using a key/value pair as authentication methodtrue
TAXII2_APIKEY_KEY
API key - name of the HTTP headerAuthorization
TAXII2_APIKEY_VALUE
The secret value set as the header valueYour Trend Vision OneAPI token - To filter marking-definition objects during import, use the below environmental variables.
-
Set
TAXII2_IGNORE_OBJECT_TYPES
totrue
to exclude specific objects. -
Specify
TAXII2_OBJECT_TYPES_TO_IGNORE
with a comma-separated list of STIX object types to ignore.
OpenCTI uses Traffic Light Protocol (TLP), so TLP displays as expected. -
- Run the following command to ingest the fetched data into OpenCTI through the TAXII2
connector.
$ docker-compose up
- Monitor the import status in the OpenCTI web portal at .
- To re-import data from the period defined by
TAXII2_INITIAL_HISTORY
, click Reset in the OpenCTI portal.
The following example shows an sample result of a STIX import.
{ "id": "indicator--6d67c97d-34b4-4aac-89d9-84232fb38946", "type": "indicator", "spec_version": "2.1", "created_by_ref": "identity--74f7eb0f-1ca3-491a-b4cf-f4d54c83c87d", "created": "2024-06-28T03:09:12.806Z", "modified": "2024-11-11T07:59:53.564Z", "name": "File SHA1: f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc", "lang": "en", "pattern": "[file:hashes.'SHA-1' = 'f17d9b3cd2ba1dea125d2e1a4aeafc6d4d8f12dc']", "pattern_type": "stix", "pattern_version": "2.1", "valid_from": "2024-11-11T07:59:53.017Z", "valid_until": "2025-11-11T07:59:53.017Z", "object_marking_refs": [ "marking-definition--ce6a3a69-be72-4e80-bfc1-4c6b44f23651", // Copyright "marking-definition--05972cd1-d8ed-42f3-b104-7770c3787929", // Disclaimer "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" // TLP:AMBER ] }