MISP
Taxii Import Module
Hello,
I am looking to use the import model TAXII 2.1 in my MISP docker. I am unable to find any documentation on how to set this module up so that i can use it pull from the TAXII server. In my MISP instance I enabled the TAXII Import plugin, but the other two fields (features and config) don't show any options of setting the TAXII server url, or provide any information on what is needed to get this to run.
Based on what I can see the module has never really been implemented fully into MISP.
The user config is not exposed to MISP:
userConfig = {
"url": {
"type": "String",
"message": "A TAXII 2.1 collection URL",
},
"added_after": {
"type": "String",
"message": "Lower bound on time the object was uploaded to the TAXII server"
},
"stix_id": {
"type": "String",
"message": "STIX ID(s) of objects"
},
"spec_version": { # TAXII 2.1 specific
"type": "String",
"message": "STIX version(s) of objects"
},
"type": {
"type": "String",
"message": "STIX type(s) of objects"
},
"version": {
"type": "String",
"message": 'Version timestamp(s), or "first"/"last"/"all"'
},
# Should we give some user control over this? It will not be allowed to
# exceed the admin setting.
"STIX object limit": {
"type": "Integer",
"message": "Maximum number of STIX objects to process"
},
"username": {
"type": "String",
"message": "Username for TAXII server authentication, if necessary"
},
"password": {
"type": "String",
"message": "Password for TAXII server authentication, if necessary"
}
}
The optimal location for adding the TAXII client pull feature would be addition to the TAXII push --> /TaxiiServers/index
You can use the module from within an existing event -> Populate from -> Taxii2.1. It's not really for scheduled imports as far as I can tell.
