Home
Threat Intelligence
Configuration
Details on how to configure Threat Intelligence.
Threat Intelligence Feed
Configuration
Configure Anomali STAXX
Do this procedure to configure the Anomali STAXX, a free TAXII/STIX solution, for integration with the Nozomi Networks TAXII server, including setting descriptions, uniform resource locators (URLs), and authentication details.

Threat Intelligence
- Introduction
  An overview of Threat Intelligence.
- Requirements
  A description of the requirements that are necessary to install and use Threat Intelligence.
- Configuration
  Details on how to configure Threat Intelligence.
  - Configure a Threat Intelligence license
    Before you can use the Threat Intelligence, you must install a license.
  - Enable automatic updates
    If you are connected to Vantage, or a Central Management Console (CMC), you can enable automatic Threat Intelligence updates.
  - Configure manual updates
    If your sensor, or Central Management Console (CMC), is not connected to the internet, you can update Threat Intelligence manually.
  - Sensor-level contents management
    By default, Threat Intelligence contents can only be managed on the top-level sensor. However, this policy can be customized to allow any sensor in the solution to add, edit, enable or disable individual contents.
  - Manage contents at sensor level
    You can change the status of the Enable local contents toggle to change how the Threat Intelligence contents are managed.
  - Threat Intelligence Feed
    - Introduction
    - Requirements
    - Configuration
      - taxii2client configuration
        Learn how to use the minimal Python library from OASIS to set up a taxii2client to interact with the TAXII server from Nozomi Networks. This includes integration for software that does not support the TAXII 2.0 protocol.
      - Configure Anomali STAXX
        Do this procedure to configure the Anomali STAXX, a free TAXII/STIX solution, for integration with the Nozomi Networks TAXII server, including setting descriptions, uniform resource locators (URLs), and authentication details.
      - Configure Microsoft Sentinel
        Once the Threat Intelligence - TAXII data connector is installed, you need to configure the TAXII server.
      - Configure ThreatQ
        Follow these steps to add and enable a new TAXII feed integration in ThreatQ, verify indicator ingestion, and monitor the integration's status through the Activity Log.
      - Configure QRadar
        Do this procedure to integrate a new TAXII feed into QRadar to enhance threat intelligence capabilities. This procedure covers adding the feed, ensuring full indicator ingestion, and monitoring the integration via the Activity Log for optimal security posture.
    - Troubleshooting
- Maintenance
  Information on how to maintain Threat Intelligence.
- Print format documentation
  A list of all the print-format documentation that is available for Threat Intelligence.

Configure Anomali STAXX

Do this procedure to configure the Anomali STAXX, a free TAXII/STIX solution, for integration with the Nozomi Networks TAXII server, including setting descriptions, uniform resource locators (URLs), and authentication details.

Download Anomali STAXX from the Anomali website.
To install the downloaded open virtual appliance (OVA) file, follow the Anomali instructions.
Launch Anomali STAXX.
Select Add New Site.
A dialog shows.
In the Description field, enter a description.
In the Discovery URL field, enter the Discovery uniform resource locator (URL): https://ti-taxii.nws.nozominetworks.io/taxii/
Select the Basic Authentication checkbox.
In the Username field, enter your username.
In the Password field, enter your password.
Do not select the SSL Two-Way Certificate checkbox.
Select Add Site.
The site will be added.
In the section on the right, select Discover.
Select Enable for each item as necessary.
To select the time range to poll indicators from, select Edit for the applicable collection.

In order to receive historical indicators, this value should be high for the initial poll. You can then decrease it based on how often the server will be polled. For example, if polling daily, only poll for indicators that have been added within the last 24 hours.
To poll indicators, select Poll Now.

Note: This can take some minutes depending on how large a collection is.

Once this process completes, the number of Last Poll Observables will show a value.

The indicators can be accessed from the Dashboard menu.