Versions Compared

Version Old Version 1 New Version 2
Changes made by

Aliaksei Shautsou

Olga Nekrutkina

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To mitigate the increasingly complex cyber attacks, you can enable the appliance to run a TAXII (Trusted Automated eXchange of Indicator Information) service to receive information on real-time threat incidents. The information in each threat incident is represented using the STIX (Structured Threat Information eXpression) language format. STIX is a standard language used to describe structured cyber threat information, which is shared between different TAXII clients.
When you run the TAXII service on a Grid member, the appliance acts as a TAXII server that receives TAXII messages (for one or more specified STIX collection) from TAXII clients. The TAXII message typically contains a list of IP addresses (both IPv4 and IPv6) and domains. The member then communicates with the Grid Master and sends a request to create an RPZ rule on the specified RPZ based on the TAXII messages it receives. The RPZ rule created on NIOS is available in the Response Policy Zones tab, as shown in Figure 4442.4.

...

Note: Once you start the TAXII server, the inbox for the configured collections is available at https://<member address>/services/inbox and the TAXII discovery service is available at https://<member address>/services/discovery, where <member address> is the MGMT or LAN IP address (IPv4 or IPv6 address of the port that is configured).

...

For more information about TAXII and STIX, refer to the following:

https://taxii.mitre.org/[ _  

http://taxiiproject.github.io/_|http://taxiiproject.github.io/]

Anchor
Supported Appliances for TAXII Service
Supported Appliances for TAXII Service
Anchor
bookmark3312
bookmark3312
Supported Appliances for TAXII Service

You can run the TAXII service on the following Infoblox appliance models: IB-1410, IB-1415, IB-1420, IB-1425, IB-VM-1410, IB-VM-1415, IB-VM-1420, IB-VM-1425, TE-810, TE-815, TE-2210, TE-2215, TE-2220, TE-2215,
IB-VM-4010, IB-4030, IB-4030-10GE, IB-VM-2220, IB-VM-2225, PT-1400, PT-1405, PT-2200, PT-2205, PT-2205-10GE, PT-4000, and PT-4000-10GE.

Anchor
Licensing Requirements and Permissions
Licensing Requirements and Permissions
Anchor
bookmark3313
bookmark3313
Licensing Requirements and Permissions

To enable the TAXII service, you must install the Security Ecosystem license on any Grid member. You must also install an RPZ license on any Grid member in the Grid in order to create RPZ rules based on the TAXII messages. To allow a group to access the TAXII service, you can enable the group to authenticate with the TAXII server.
To enable a group to access the TAXII server: Image Removed
1720NIOS Administrator Guide (Rev. A)NIOS 8.1
Mitigating Cyber Threats using TAXII

  1. From the Administration tab, select the Administrators tab -> Groups tab, and then click the Add icon.
  2. In the Add Admin Group wizard, click the Roles tab and then complete the following in the Allowed Interfaces section:

...

    • TAXII: Select this check box to enable a group to authenticate with the TAXII server.

3. Save the configuration.

Anchor
Mapping RPZs with TAXII Collections
Mapping RPZs with TAXII Collections
Anchor
bookmark3314
bookmark3314
Mapping RPZs with TAXII Collections

...

  • To edit an entry in the list, click the check box beside an RPZ, and then click the Edit icon.
  • To delete an entry in the list, select the check box beside an RPZ, and then click the Delete icon.


Figure

...

42.3 Mapping RPZs with TAXII Collection
Image Modified

...


...




Anchor
bookmark3315
bookmark3315
Figure

...

42.4 RPZ Rules created for the Mapped RPZ and Collection
Image Modified

Anchor
Starting and Stopping the TAXII Service
Starting and Stopping the TAXII Service
Anchor
bookmark3316
bookmark3316
Starting and Stopping the TAXII Service

To start the TAXII service:
1. From the Grid tab, select the Services tab -> TAXII_member check box and then click the Start icon from the vertical Toolbar.
To stop the TAXII service:
1. From the Grid tab, select the Services tab -> TAXII_member check box and then click the Stop icon from the vertical Toolbar.

Anchor
Extensible Attributes for TAXII Service
Extensible Attributes for TAXII Service
Anchor
bookmark3317
bookmark3317
Extensible Attributes for TAXII Service

You can define extensible attributes that are specific to the TAXII service, as described in Extensible attributes for TAXII service. When you define TAXII specific extensible attributes, the RPZ rules created will have these attributes and their corresponding values (received in the TAXII messages) added automatically.
For information about how to configure extensible attributes, see About Extensible Attributes .

Anchor
bookmark3318
bookmark3318
Table 4442.3 Extensible attributes for TAXII service

Attribute Name

Attribute Type

Description

TAXII_collection

String

The name of the TAXII collection the TAXII client delivered the message to.

TAXII_source

String

The IP address of the TAXII client that sent the TAXII message.

TAXII_member

String

The TAXII Grid member that receives TAXII message resulting in the creation of the RPZ rule.

TAXII_timestamp

Date/Integer

The timestamp when the TAXII message was received

.

...

.

...

...

Attribute Name

Attribute Type

Description

TAXII_user

String

The login name of the user the TAXII client connected as to the TAXII server on the member that received the message.


Anchor
Monitoring TAXII Server
Monitoring TAXII Server
Anchor
bookmark3319
bookmark3319
Monitoring TAXII Server

You can monitor the status of the TAXII server, as described in Monitoring Grid Services. If there are any invalid TAXII messages, the appliance makes a syslog entry. For information, see Viewing RPZ in the Syslog on page 1731. The appliance also sends an SNMP trap and an email notification, if configured. For information about setting SNMP and email notification, see Setting SNMP and Email Notifications.