Is there any OpenDXL integration with a STIX/TAXII solution?

  • I am not aware of any OpenDXL integrations that directly support a STIX/TAXII feed. However, I have seen a couple of integrations that support threat feeds via aggregators (such a IntelMQ). I am not sure whether STIX/TAXII is a supported feed for any these. Hopefully those solutions will be submitted here in the near future.


    Threat Intelligence Exchange (commercial) does support a subset import (primarily hashes) of STIX files. The import results in file reputations that are available via OpenDXL (see TIE Python Client Library).


    It would be great to see an OpenDXL solution developed that supports the ability to define a set of TAXII feeds. As new threats are published, they could be sent over DXL as events. These events could then be consumed by a variety of security products (sandbox, SIEM, endpoint scanners, etc.). Having such a solution would eliminate the per-product configuration and maintenance of the TAXII feeds.


    Chris

  • Tychon (Commercial) will support STIX submissions and receipt over DXL, users will be able receive a feed of incidents from open cases being created from the Tychon UI. They can also submit IOCs and STIX queries over DXL to query endpoints in real-time.


    There is a slight issue however, with the limited size of a DXL message and the bloat of the STIX XML format its best to send queries in smaller formats through the Tychon SDK.

  • Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). STIXis open source and free allowing those interested to contribute and ask questions freely.Contributing and ingesting CTI becomes a lot easier. With STIX, all aspects of suspicion, compromise and attribution can be represented clearly with objects and descriptive relationships.