Configure STIX as a Data Source

You can configure Structured Threat Information eXpression (STIX) as a data source for Context Hub and use the Context Hub service to fetch contextual threat intelligence information from a STIX source.

Starting with version 12.5, NetWitness now integrates with STIX 2.x (2.0 and 2.1) feeds, bringing improved threat detection, incident response, and security monitoring capabilities. This integration involves the conversion of structured threat intelligence from STIX format into a format that the SIEM system can easily understand and use, thus enhancing its effectiveness in protecting against threats.

Configure STIX File

To add STIX as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services .
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select File as data source.

125_File_STIX_30041_1306x573.png

  1. Provide the following details:

    1. Context Highlighting: This highlights the meta values (in the InvestigateEvents, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.

    2. Name: Provide a name for the STIX file data source.
    3. Description: Provide description of the data source.
    4. File: Select and upload an STIX file in either .xml or .json format to use as a data source.

                          Note: From NetWitness 12.5 or later, you can upload JSON files as it is compatible with the STIX 2.0 and 2.1 versions.

  1. Click Validate to verify the format of the file.
  2. Click Save to configure the data source.
    The File is added as a data source for the configured Context Hub and is displayed in the STIX tab.
    125_File_STIX_All_1909x584.png

Configure REST Server

To add REST as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select REST Server as data source.

TIREST_1254x941.png

  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Context Highlighting: This highlights the meta values (in the InvestigateEvents, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.
    3. Name: Provide a name for the REST Server data source.
    4. Description: Provide a description for the data source.
    5. URL: Specify the URL to the STIX file to be hosted on the server.

Note: The URL provided determines the STIX Rest Data source, which can be either V1 or V2.

    1. (Optional) Username: Enter the username for the REST server.
    2. (Optional) Password: Enter the password for the REST server.
    3. Use Proxy: Select this checkbox to use proxy.
    4. (Optional) Trust All Certificates: Select this checkbox if you want to trust all certificates and do not have a custom certificate.
    5. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
  2. Click Validate to verify the connection parameters to the REST Server.
  3. Click Save to configure the data source.
    The REST Server is added as a data source for the configured Context Hub and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Configure TAXII Server

To add TAXII Server as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select TAXII Server as data source.
    TAXII_V2_1_415x448.png
  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Context Highlighting: This highlights the meta values (in the InvestigateEvents, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.
    3. TAXII Version 2.X: Select this checkbox to consider only indicators formatted in the STIX 2.0 and 2.1 standards. By default, this option is enabled.

      Note: This option is supported only from the NetWitness Platform 12.5 version or later.

    4. Name: Provide a name for the TAXII Server data source.
    5. Description: Provide a description for the data source.
    6. Accept Header: Select the relevant HTTP Media types that the TAXII Server can accept in response from the drop-down list.

      Note: This option will be available only for TAXII Version 2.X.

    7. URL: Specify the discovery URL to the TAXII Server.
    8. (Optional) Username: Enter the username for the TAXII server.
    9. (Optional) Password: Enter the password for the TAXII server.
    10. (Optional) Client Certificate: Browse to upload a pkcs12 format client certificate available on your local system.
    11. (Optional) Certificate Password: Enter the password to the certificate, if it is password-protected.
    12. (Optional) User Proxy: Select this checkbox to use proxy.
    13. (Optional) Trust All Certificates: Select this checkbox if yoenabu want to trust all certificates and do not have a custom certificate.
    14. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
    15. TAXII Collection: Select the TAXII Collection name from the drop-down to automatically download the collection.
  2. (Optional) Click netwitness_ic-refresh.png to manually retrieve the list of collections available in the TAXII server , if the collections are not downloaded automatically.
  3. Click Validate to verify the connection parameters to the TAXII Server.
  4. Click Save to configure the data source.
    The TAXII Server is added as a data source and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Note: You can disable the context highlighting globally in the Context Hub explorer view. After you disable this option, the entity values for all the data sources configured will not be highlighted if there are any contextual information.

Next steps

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the NetWitness Respond User Guide and the NetWitness Investigate User Guide.