3.1 KiB
title | date | layout | banner |
---|---|---|---|
How to push to a TAXII server from MISP | 2023-04-29 | post | /img/blog/taxii-1.png |
If you want to push data from your MISP instance to a TAXII server, there are a few steps you need to follow. Firstly, you'll need to ensure that your MISP instance is configured to export data in a format that the TAXII server can accept. This typically involves converting the data to STIX 2.x format by using the builtin misp-stix converter. Next, you'll need to establish a connection between your MISP instance and the TAXII server by configuring the appropriate API and collection endpoints in the MISP sync action. Once this is done, you can initiate the data transfer from your MISP instance to the TAXII server by pushing the searched data to the designated API and collection.
MISP has an automatic feature to support the automatic export from MISP to a TAXII 2.1 server. This article includes all the steps including the installation of TAXII 2.1 server for testing.
TAXII 2.1 server configuration example
Install medallion
- From git
git clone https://github.com/oasis-open/cti-taxii-server.git
cd cti-taxii-server
# optional but appreciated
virtualenv -p python3 venv
source ./venv/bin/activate
pip3 install -r requirements.txt
pip3 install .
- From pypi
pip3 install medallion
Run medallion
Some important points:
- medallion runs on http only
- the default port is 5000
- look at the configuration file and check the options
- set the host address with the
-h
option
medallion -h <HOST> -c <config_file.json>
Push data to TAXII
MISP has an integration for TAXII servers, which includes:
- TAXII servers configuration listing
- discovery end point on each TAXII server to list and choose:
- the API root
- the collections
- Filtering on the content to push
The list of TAXII servers is available via the Sync Actions
tab -> List Taxii Servers
Make your running TAXII server reachable from MISP
In order to add a new connection to a TAXII server, you need to provide:
- the server url
- an API key being the base64 encoded string of
<username>:<password>
- the API root
- the collection name
Filter on the data to push
In the TAXII server connection config, you can define filter rules.
Those rules are basically the ones you would use as HTTP body
of a restSearch
request. restSearch filters options are documented in our OpenAPI.
This means you can filter on a lot of different things, for example:
- data that is owned by your own organisation
{ "org": "<YOUR_ORG>" }
- content marked with certain tags
{ "tags": [ "tlp:white", "stix_push" ] }
- a more specific example
{ "org": "CIRCL", "tags": "tlp:white", "type": [ "ip-src", "ip-dst" ] }
The feature is converting your content to STIX 2.x format then it can be automatically exported and pushed to the designated API and collection on the TAXII server.