Configure how Threat Intelligence contents are handled
conf.user configure sandbox contents
<json_value>
Product
Guardian
Description
This command configures how Threat Intelligence contents are to be loaded. The JSON object can have the following attributes:
load_contents
- this can be true/false to enable/disable the loading of contents;stix_backend_provider
- selects the engine to be used for STIX indicators: 'memory' (indicators are stored in memory - default) or 'db' (indicators are stored in the system database). With 'db', the application memory requirements become lower, but STIXv1 (XML) indicators are not supported;loaded_content_types
- this is a JSON array of contents to be loaded.
Contents available are:
stix_indicators
yara_rules
As an example, the following command will disable completely contents loading:
conf.user configure sandbox contents { "load_contents": false
}
As a further example, the following command will allow only yara rules to be loaded:
conf.user configure sanbox contents { "loaded_content_types": [
"yara_rules" ] }
As another example, the following command will configure the usage of the system database for storing STIX indicators related information, reducing the application memory footprint:
conf.user configure sanbox contents { "stix_backend_provider":
"db" }
Parameters
json_value
: A JSON object to configure how Threat Intelligence contents are loaded
Where
CLI
To apply
It is applied automatically.