Configure how Threat Intelligence contents are handled

conf.user configure sandbox contents
                <json_value>

Product

Guardian

Description

This command configures how Threat Intelligence contents are to be loaded. The JSON object can have the following attributes:

load_contents - this can be true/false to enable/disable the loading of contents;
stix_backend_provider - selects the engine to be used for STIX indicators: 'memory' (indicators are stored in memory - default) or 'db' (indicators are stored in the system database). With 'db', the application memory requirements become lower, but STIXv1 (XML) indicators are not supported;
loaded_content_types - this is a JSON array of contents to be loaded.

Contents available are:

stix_indicators
yara_rules

As an example, the following command will disable completely contents loading:

conf.user configure sandbox contents { "load_contents": false }

As a further example, the following command will allow only yara rules to be loaded:

conf.user configure sanbox contents { "loaded_content_types": [ "yara_rules" ] }

As another example, the following command will configure the usage of the system database for storing STIX indicators related information, reducing the application memory footprint:

conf.user configure sanbox contents { "stix_backend_provider": "db" }

Parameters

json_value: A JSON object to configure how Threat Intelligence contents are loaded

Where

CLI

To apply

It is applied automatically.