Pull IOCs from the Rapid7 TAXII server

You can pull enriched IOCs (Indicators of Compromise) into third-party security devices using the Rapid7 TAXII server (STIX/TAXII v1.1 and v2.0 are supported). The TAXII server is defined in Threat Command as an external cloud device.

The following enrichment data is included:

  • IOC Type
  • First seen
  • Last seen
  • Reported feeds
  • Severity
  • Feed confidence level
  • User tags
  • System tags
  • Threat Actor relation
  • Malware relation
  • Campaign relation

IOC groups can consist of:

  • Domains
  • URLs
  • IP addresses
  • File hashes
  • Email addresses

Before you begin, ensure that you have administrative credentials to access Threat Command with a subscription to the Intelligence Hub and Automation modules.

Define the Rapid7 TAXII server integration

You can define a TAXII server to pull IOCs.

Before you begin, ensure that you have the Threat Command account ID and appliance key.

To define a TAXII server:

  1. Log in to Threat Command.

  2. Navigate to Intelligence Hub > Integrations.

  3. Click Cloud.

  4. Click Add new device.

  5. In the Add New Cloud Device dialog box, define the Rapid7 TAXII server:

    1. Type a user-defined name for the device.
      The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
    2. For the device type, select Rapid7 TAXII Server.
    3. Select the STIX version to support v1.1 or v2.0.
    4. You can change the IOCs limit for the TAXII server (default is 100,000).

  6. Click Add.
    The new device is added to the cloud integrations device list. A red dot next to the device name indicates that communication has not yet been established. The dot changes to green once the device is synchronized.

  7. Display the device details required to connect to your security device:

    1. From the Intelligence Hub > Integrations > Cloud page, select the TAXII integration.
    2. At the top of the screen, click Device Details.
    3. From the Device Details dialog, you will need the Discovery URL. In addition, you need the Threat Command account ID and appliance key. Copy this information into the management console of the security device.