Configure STIX as a Data Source

You can configure Structured Threat Information eXpression (STIX) as a data source for Context Hub and use the Context Hub service to fetch contextual threat intelligence information from a STIX source.

Configure STIX File

To add STIX as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services .
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select File as data source.

netwitness_tifile_1021x440.png

  1. Provide the following details:
    1. Context Highlighting: This highlights the meta values (in the Investigate > Navigate, Events, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.

    2. Name: Provide a name for the STIX file data source.
    3. Description: Provide description of the data source.
    4. File: Browse for the file you want to add as a data source.
  2. Click Validate to verify the format of the file.
  3. Click Save to configure the data source.
    The File is added as a data source for the configured Context Hub and is displayed in the STIX tab.
    121_RTSvrDS_1122.png

Configure REST ServerConfigure REST Server

To add REST as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select REST Server as data source.

netwitness_tirest_1254x941.png

  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Context Highlighting: This highlights the meta values (in the Investigate > Navigate, Events, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.
    3. Name: Provide a name for the REST Server data source.
    4. Description: Provide a description for the data source.
    5. URL: Specify the URL to the STIX file to be hosted on the server.
    6. (Optional) Username: Enter the username for the REST server.
    7. (Optional) Password: Enter the password for the REST server.
    8. Use Proxy: Select this checkbox to use proxy.
    9. (Optional) Trust All Certificates: Select this checkbox if you want to trust all certificates and do not have a custom certificate.
    10. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
  2. Click Validate to verify the connection parameters to the REST Server.
  3. Click Save to configure the data source.
    The REST Server is added as a data source for the configured Context Hub and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Configure TAXII Server

To add TAXII Server as a data source for Context Hub:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
    The Services view is displayed.
  2. Select the Context Hub service and click netwitness_ic-actns.png > View > Config.
    The Services config view of Context Hub is displayed.
  3. Click the STIX tab, and click netwitness_add.png.
  4. Select TAXII Server as data source.
    netwitness_titax_1031x953.png
  1. Provide the following details:
    1. Enabled: Select this checkbox to enable the connection.
    2. Context Highlighting: This highlights the meta values (in the Investigate > Navigate, Events, Event details and Nodal graph) for which the contextual information is available for this data source in the Context Hub. By default, this option is enabled.
    3. Name: Provide a name for the TAXII Server data source.
    4. Description: Provide a description for the data source.
    5. URL: Specify the discovery URL to the TAXII Server.
    6. (Optional) Username: Enter the username for the TAXII server.
    7. (Optional) Password: Enter the password for the TAXII server.
    8. (Optional) Client Certificate: Browse to upload a pkcs12 format client certificate available on your local system.
    9. (Optional) Certificate Password: Enter the password to the certificate, if it is password-protected.
    10. (Optional) User Proxy: Select this checkbox to use proxy.
    11. (Optional) Trust All Certificates: Select this checkbox if yoenabu want to trust all certificates and do not have a custom certificate.
    12. (Optional) Certificate File: Browse for the certificate file if you have not selected the Trust All certificates checkbox.
    13. TAXII Collection: Select the TAXII Collection name from the drop-down to automatically download the collection.
  2. (Optional) Click netwitness_ic-refresh.png to manually retrieve the list of collections available in the TAXII server , if the collections are not downloaded automatically.
  3. Click Validate to verify the connection parameters to the TAXII Server.
  4. Click Save to configure the data source.
    The TAXII Server is added as a data source and is displayed in the STIX tab.

After adding the data source, you can configure additional settings. For more information, see Configure Context Hub Data Source Settings .

Note: You can disable the context highlighting globally in the Context Hub explorer view. After you disable this option, the entity values for all the data sources configured will not be highlighted if there are any contextual information.

Next steps

After completing the configuration, you can view the contextual data in the Context Summary Panel of the Respond view or Investigate view. For more information, see the NetWitness Respond User Guide and the NetWitness Investigate User Guide.