Context Hub: Configure STIX as a Data Source

Document created by RSA Information Design and Development Employee on Sep 8, 2020Last modified by Shree Kulkarni on Sep 25, 2020
Version 3Show Document
  • View in full screen mode

You can configure Structured Threat Information eXpression (STIX) as a data source for Context Hub and use the Context Hub service to fetch contextual threat intelligence information from a STIX source.

Configure STIX File

To add STIX as a data source for Context Hub:

  1. Go to   (Admin) > Services .
    The Services view is displayed.
  2. Select the Context Hub service and click  > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click 
  4. Select File as data source.

  1. Provide the following details:
    1. Name: Provide a name for the STIX file data source.
    2. Description: Provide description of the data source.
    3. File: Browse for the file you want to add as a data source.
  2. Click Validate to verify the format of the file.
  3. Click Save to configure the data source.
    The File is added as a data source for the configured Context Hub and is displayed in the STIX tab.

Configure REST Server

To add REST as a data source for Context Hub:

  1. Go to   (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click  > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click 
  4. Select REST Server as data source.

  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Name: Provide a name for the REST Server data source.
    3. Description: Provide a description for the data source.
    4. URL: Specify the URL to the STIX file to be hosted on the server.
    5. (Optional) Username: Enter the username for the REST server.
    6. (Optional) Password: Enter the password for the REST server.
    7. Use Proxy: Select this checkbox to use proxy.
    8. (Optional) Trust All Certificates: Select this checkbox if you want to trust all certificates and do not have a custom certificate.
    9. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
  2. Click Validate to verify the connection parameters to the REST Server.
  3. Click Save to configure the data source.
    The REST Server is added as a data source for the configured Context Hub and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Configure TAXII Server

To add TAXII Server as a data source for Context Hub:

  1. Go to   (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click  > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click 
  4. Select TAXII Server as data source.
  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Name: Provide a name for the TAXII Server data source.
    3. Description: Provide a description for the data source.
    4. URL: Specify the discovery URL to the TAXII Server.
    5. (Optional) Username: Enter the username for the TAXII server.
    6. (Optional) Password: Enter the password for the TAXII server.
    7. (Optional) Client Certificate: Browse to upload a pkcs12 format client certificate available on your local system.
    8. (Optional) Certificate Password: Enter the password to the certificate, if it is password-protected.
    9. (Optional) User Proxy: Select this checkbox to use proxy.
    10. (Optional) Trust All Certificates: Select this checkbox if yoenabu want to trust all certificates and do not have a custom certificate.
    11. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
    12. TAXII Collection: Select the TAXII Collection name from the drop-down to automatically download the collection.
  2. (Optional) Click to manually retrieve the list of collections available in the TAXII server , if the collections are not downloaded automatically.
  3. Click Validate to verify the connection parameters to the TAXII Server.
  4. Click Save to configure the data source.
    The TAXII Server is added as a data source and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Next steps 

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the NetWitness Respond User Guide and the NetWitness Investigate User Guide.

 

You are here

Table of Contents > Configure STIX as a Data Source

Attachments

    Outcomes