Views:
Integrate Trend Threat Intelligence feed content into OpenCTI using the Trusted Automated Exchange of Intelligence Information (TAXII) connector. This process uses the Trend Threat Intelligence feed Application programming interface (API) which supports the TAXII 2.1 protocol to connect to OpenCTI.

Procedure

  1. Clone the TAXII2 connector repository.
  2. Configure common environment variables in docker-compose.yml.

    Common settings

    Environmental variable
    Description
    Value
    OPENCTI_URL
    Uniform resource locator (URL) of your target OpenCTI instance where the connector sends data
    OPENCTI_TOKEN
    API token for authenticating the connector with OpenCTI
    CONNECTOR_ID
    Generate a random universally unique identifier (UUID) to identify this connector instance
    A random UUID
    TAXII2_DISCOVERY_URL
    URL of the TAXII 2.1 threat intelligence feed API
    Refer to the regional TAXII feed URL table.
    TAXII2_INITIAL_HISTORY
    The timeframe, in hours, to fetch historical data from the TAXII2 server when connecting for the first time
    Default: 24
  3. Choose either basic authentication or bearer token authentication and configure the corresponding variables.

    Basic authentication

    Environmental variable
    Description
    Value
    TAXII2_USERNAME
    Username credential to access TAXII Server
    Business ID
    TAXII2_PASSWORD
    Password credential to access TAXII Server
    Trend Vision One API token
    TAXII2_USE_TOKEN
    Switch to token authentication method
    false or blank
    TAXII2_USE_APIKEY
    Switch to key/value authentication
    false or blank

    Bearer token authentication

    Environmental variable
    Description
    Value
    TAXII2_USE_APIKEY
    Switch to using a key/value pair as authentication method
    true
    TAXII2_APIKEY_KEY
    API key - name of the HTTP header
    Authorization
    TAXII2_APIKEY_VALUE
    The secret value set as the header value
    Trend Vision OneAPI token
  4. To filter marking-definition objects during import, use the below environmental variables.
    • Set TAXII2_IGNORE_OBJECT_TYPES to true to exclude specific objects.
    • Specify TAXII2_OBJECT_TYPES_TO_IGNORE with a comma-separated list of STIX object types to ignore.
    OpenCTI uses Traffic Light Protocol (TLP), so TLP displays as expected.
  5. Run the following command to ingest the fetched data into OpenCTI through the TAXII2 connector.
    $ docker-compose up
  6. Monitor the import status in the OpenCTI web portal at DataIngestionConnectorsTAXII2.
  7. To re-import data from the period defined by TAXII2_INITIAL_HISTORY, click Reset in the OpenCTI portal.