Custom indicators
Private ThreatCloud (PTC) supports custom indicators of the following types: hash/domain/url/ip
Custom indicators can be added/deleted in the following ways:
- Over REST from the Private ThreatCloud appliance
- Via STIX/TAXII packages from the Download Agent
Adding a custom indicator
Send a POST message to the URL: http://<ptc ip>/ptcd/customIndicators/add
request body format:
{
"indicator":"1AC222A9B2720E3D6669993AB788BDDD ",
"protection_name": "evil hash",
"confidence":5,
"severity": 3
}
Removing a custom indicator:
Send a POST message to the URL: http://<ptc ip>/ptcd/customIndicators/delete
request body format:
{
"indicator":"1AC222A9B2720E3D6669993AB788BDDD"
}
list custom indicators:
To see the indicators that were downloaded to the PTC either manually or through STIX/TAXII, Send a GET message to the URL:
http://<ptc ip>/ptcd/customIndicators/getLatest
count of custom indicators:
To see the number of indicators that were downloaded to the PTC either manually or through STIX/TAXII, Send a GET message to the URL:
http://<ptc ip>/ptcd/customIndicators/count
view a specific indicator:
Send a POST message to the URL: http:///ptcd/customIndicators/get
request body format:
{
"indicator":"1AC222A9B2720E3D6669993AB788BDDD"
}
The following scripts demonstrate adding/removing indicators over REST:
add_indicator <indicator> <protection_name> [<confidence>] [<severity>]
del_indicator <indicator>
They are available on the Private ThreatCloud appliance
STIX TAXII
PTC supports indicators from STIX/TAXII servers. Once the Taxii configuration is complete, the TAXII server will be polled periodically for new STIX packages
Supported versions:
STIX: 1.0, 1.1.1, 1.2
TAXII: 1.1
TLS: V1.0. For higher TLS versions, please contact PTC RnD team (In the next engine update, TLSv1.2 will be supported)
There are two new utilities to handle STIX/TAXII behavior:
1) taxiiconf - STIX/TAXII configuration
2) taxiioper - STIX/TAXII operations
Configuration:
Taxii configuration is done by the following steps:
1. add a TAXII server
taxiiconf server add <taxi_server_name> <taxii_server_url> [psca12_keystore:password] [username password]
for example:
taxiiconf server add taxii-server-1 https://taxiiserver.com/services root 123456
2. define a collection on the server
taxiiconf collection add <server_id> <collection_name>
for example:
taxiiconf collection add 12 collection1
3. attach the collection to a policy
The policy dictates the collection's confidence. There are 3 default policies with id range 1-3
taxiiconf col_pol add <collection_id> <policy_id>
for example:
taxiiconf col_pol add 9 2
view configuration
you can use 'taxiiconf config' to view your current configuration: servers, collections and policies.
In the last section – 'effective configuration' you can see a summary of all Taxii collections/servers that will be polled for IoCs.
Taxiioper
taxiioper load - manully load a local STIX package
taxiioper load local <package_path>
taxiioper delete - delete a custom indicator
taxiioper delete <indicator>
taxiioper stats - shows statistics for all configured collections
additional configuration:
On R80.20, the following command needs to be run on the Download Agent:
chown nobody:nobody /var/log/downloads
|
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.
|
