Decoder: Create a STIX Custom Feed

Document created by RSA Information Design and Development Employee on Oct 10, 2017Last modified by RSA Information Design and Development Employee on Apr 23, 2020
Version 18Show Document
  • View in full screen mode

Structured Threat Information Expression (STIX) is a structured language for describing cyber threat information so it can be shared, stored, and analyzed in a consistent manner. For more information about STIX, see

You can create a custom feed using a STIX-formatted feed data file (.xml) in RSA NetWitness Platform. NetWitness Platform supports Structured Threat Information Expression (STIX) 1.0, 1.1 and 1.2 versions only.

Caution: If a STIX recurring feed is configured and you update Security Analytics from 10.6.x to NetWitness Platform 11.x, you must re-configure the STIX recurring feed.

In NetWitness Platform, STIX feeds of type Indicator or Observable that contain properties such as the IP addresses, File hashes, Domain names, URIs and Email addresses are supported. The property values in the Equals operator are supported. Attributes such as Type and Title are also read from the STIX. A STIX file with a single STIX_Package is supported.

TAXII (Trusted Automated eXchange of Indicator Information) is the main transport mechanism for cyber threat information represented in STIX. Using the TAXII services, organizations can share cyber threat information in a secure and automated manner.

The STIX and TAXII communities work closely together to ensure that they continue to provide a full stack for sharing threat intelligence.

Apart from the TAXII server, STIX data can also reside on a REST server and you can fetch the STIX file from the REST server by providing the URL of the REST server. For example,

The STIX feed data file and optionally the feed definition file, both in .xml format must be available on the local file system for an on-demand custom feed. For a recurring custom feed, the files must be available at a URL that is accessible to the NetWitness Platform server.

To create a STIX custom feed:

  1. Go to Configure > Custom Feeds.

    The Custom Feeds view is displayed.

  2. In the toolbar, click the Add icon.

    The Setup Feed dialog is displayed.

    the Setup Feed dialog

  3. To select the feed type, click Custom Feed and Next.

    The Configure a Custom Feed wizard is displayed, with the Define Feed form open.

    the Define Feed form, STIX and Adhoc selected

  4. To define a feed based on a STIX formatted .xml file, select STIX in the Feed Type field.

  5. To define an on-demand feed task that executes once, select Adhoc in the Feed Task Type field and do one of the following:

    1. (Conditional) To define a feed based on STIX-formatted .xml file, type the feed Name, select a STIX  formatted .xml content File from the local file system, and click Next.
    2. (Conditional) To define a feed based on an XML feed file, select Advanced Options.

      The Advanced Options are displayed.

      the Define Feed form, showing Advanced Options

    3. Select an XML feed file from the local file system, choose the Separator (default is comma), specify the Comment characters used in the feed data file (default is #), and click Next.
      The Select Services form is displayed. This is an example of the form for a feed based on a feed data file with no feed definition file. If you are defining a feed based on a feed definition file, the Define Columns tab is not needed.

      the Select Services form

  6. To define a recurring feed task that executes repeatedly at specified intervals, during a specified date range.

    1. Select Recurring in the Feed Task Type field.

      The Define Feed form includes the fields for a recurring feed.

      the Define Feed form, STIX and Recurring selected

    2. In the URL field, do one of the following:

      • To define a recurring feed based on STIX which pulls STIX packages from a TAXII Server, enter the TAXII server's discovery service URL, for example,

        Note: A Context Hub service installed on Event Stream Analysis host must be reachable for the specified TAXII server.

      • To define a recurring feed based on a STIX-formatted .xml file using the REST Server, enter the URL of the REST server where the STIX data file is located, for example,

        the Define Feed form, STIX and Recurring selected

      NetWitness Platform verifies the connection to the server, so that NetWitness Platform can check for the latest file automatically before each recurrence.

    3. If you do not want NetWitness Platform to verify the REST server's SSL certificate, Select Trust All Certificate. This option is enabled by default (checked).
    4. For client authentication with the REST URL, in the Certificate field, click Browse and select the self signed certificate. The supported certificate formats are .cer, .crt with Base64 and DER encoded files.
    5. (Optional) If the URL has restricted access and requires authentication using your username and password, select Authenticated.

      NetWitness Platform provides your user name and password for authentication to the URL.

    6. Select TAXII Enabled Server, if you want to select a TAXII collection from the list.
      For a valid URL, one or more TAXII collections that contains the STIX data file is displayed based on your credentials. Select the required TAXII collection from the list. Only one collection can be added from a TAXII server for a feed.

      Note: Though multiple feeds from multiple TAXII servers are supported, only one account (username and password) is supported per TAXII server.

    7. If you want the NetWitness Platform server to access the feed URL through a proxy, select Use Proxy. For more information on configuring a proxy, see "Configure Proxy for NetWitness Platform" in the System Configuration Guide. (Go to the Master Table of Contents to find all RSA NetWitness Platform 11.x documents.) By default, the Use Proxy checkbox is not selected.
    8. (Optional) Click Verify to test the settings.

      Note: Make sure all the required connection parameters such as Authentication, Proxy, Certificate trust, TAXII Enabled Server, and others, are configured before you click Verify.

    9. To define the interval of recurrence for pushing to the Decoder or Log Decoder, do one of the following:

      • Specify the number of minutes, hours, or days between recurrences of the feed.
      • Specify recurrence every week, and select the days of the week.
    10. To define the date range for the execution of the feed to recur, specify the Start Date and time and the End Date and time. The Start Date defines from when you want to fetch the data.

  7. (Conditional) If you want to define a feed based on an XML feed file:

    • Type the feed Name, select Advanced Options.

      The Advanced Options fields are displayed.

    • Select an XML feed file from the local file system, choose the Separator (default is comma), specify the Comment characters used in the feed data file (default is #).

    • In the Remove STIX data older than field, specify the number of days for which STIX packages pulled from TAXII server is to be stored. The STIX packages older than the specified number of days is deleted automatically.
    • Click Next.

      The Select Services form is displayed.

  1. To identify services on which to deploy the feed, do one of the following:

    1. Select one or more Decoders and Log Decoders, and click Next.
    2. In case of STIX feed, Context Hub is selected by default and you cannot deselect it. In addition, you can select one or more Decoders and Log Decoders and click Next or click the Groups tab and select a group. Click Next.

      the Select Services form, Context Hub selected

      If the data from the STIX server is large, the following message is displayed:
      "Fetching sample date is taking longer than expected. Choose one of the following options." You have two options: continue to wait or map without sample data.

      • If you click Continue to Wait, the Feed Wizard continues to wait till the sample data is fetched or a timeout (10 minutes) occurs, whichever is sooner. If there is a timeout, no sample data is retrieved.
      • If you click Map without Sample data, the mapping column is displayed without any sample data.

      The Define Columns form is displayed.

  2. To map columns in the Define Columns form:

    1. Define the Index type: IPIP Range, or Non IP, and select the index column.
    2. (Conditional) If the index type is IP or IP Range and the IP address is in CIDR notation, select CIDR.
    3. (Conditional) If the index type is Non IP, additional settings are displayed. Select the service type and Callback Keys, and optionally select the Truncate Domain option.

      the Define Columns form with IP selected

      • If the Index Type is Non IP, you can select multiple index columns in the Index Columns. The values from all the selected columns are merged in the first index column that you selected and the merged values are pushed to the Log Decoder for parsing. For example, in the Index Columns if you select 2,4,7 as index columns the values from the 2,4, and 7 columns are merged in the column 2 and the values are pushed to Log Decoder for parsing.
      • Indexing cannot be done for columns such as Indicator Title, Indicator Description, Observable Title, and Observable Description, as the look up cannot be performed for those columns.
    4. Select the language key to apply to the data in each column from the drop-down list. The meta displayed in the drop-down list is based on the meta available for the service define values. You can also add other meta based on advanced expertise.

    5. Click Next.

      The Review form is displayed.

  3. Anytime before you click Finish, you can:

    • Click Cancel to close the wizard without saving your feed definition.
    • Click Reset to clear the data in the wizard.
    • Click Next to display the next form (if not viewing the last form).
    • Click Prev to display the previous form (if not viewing the first form).
  4. Review the feed information, and if correct, click Finish.
    Upon successful creation of the feed definition file, the Create Feed wizard closes, the feed and corresponding token file are listed in the Feed grid, and progress bar tracks completion. You can expand or collapse the entry to see how many services are included, and which services were successful.


Note: Health and Wellness raises alerts when the available heap memory of Context Hub server is critically low. If the status of Context Hub server is Unhealthy due to low memory. For more information on how to troubleshoot OutOfMemoryError on Contexthub Server, refer to "Troubleshooting" in the Live Services Management Guide.

Previous Topic:Create a Custom Feed
You are here
Table of Contents > Configure Parsers and Feeds > Configure Feeds > Create a STIX Custom Feed