Pull IOCs from the Rapid7 TAXII server
Copy link

You can pull enriched IOCs (Indicators of Compromise) into third-party security devices using the Rapid7 TAXII server (STIX/TAXII v1.1 and v2.0 are supported). The TAXII server is defined in Digital Risk Protection (Threat Command) as an external cloud device.

The following enrichment data is included:

  • IOC Type
  • First seen
  • Last seen
  • Reported feeds
  • Severity
  • Feed confidence level
  • User tags
  • System tags
  • Threat Actor relation
  • Malware relation
  • Campaign relation

IOC groups can consist of:

  • Domains
  • URLs
  • IP addresses
  • File hashes
  • Email addresses

Before you begin, ensure that you have administrative credentials to access Digital Risk Protection (Threat Command) with a subscription to the Threat Intelligence (Intelligence Hub) and Automation modules.

Define the Rapid7 TAXII server integration
Copy link

You can define a TAXII server to pull IOCs.

Before you begin, ensure that you have the Digital Risk Protection (Threat Command) account ID and appliance key.

To define a TAXII server:

  1. Log in to Digital Risk Protection (Threat Command).

  2. Navigate to Threat Intelligence (Intelligence Hub) > Integrations.

  3. Click Cloud.

  4. Click Add new device.

  5. In the Add New Cloud Device dialog box, define the Rapid7 TAXII server:

    1. Type a user-defined name for the device.
      The name can contain a maximum of 50 letters, spaces, numbers, and underscores.
    2. For the device type, select Rapid7 TAXII Server.
    3. Select the STIX version to support v1.1 or v2.0.
    4. You can change the IOCs limit for the TAXII server (default is 100,000).

  6. Click Add.
    The new device is added to the cloud integrations device list. A red dot next to the device name indicates that communication has not yet been established. The dot changes to green once the device is synchronized.

  7. Display the device details required to connect to your security device:

    1. From the Threat Intelligence (Intelligence Hub) > Integrations > Cloud page, select the TAXII integration.
    2. At the top of the screen, click Device Details.
    3. From the Device Details dialog, you will need the Discovery URL. In addition, you need the Digital Risk Protection (Threat Command) account ID and appliance key. Copy this information into the management console of the security device.