This repository is used to continuously retrieve threats from the Datalake platform and insert them into a taxii server. The user can set a frequency at which the collections of STIX objects will be updated. Upon each update, all previously stored objects are purged from the collections and then replaced by the updated objects, allowing us to provided new information collected on older threats, e.g. updated score or whitelisting.
A reference taxii server, medallion is used by default.
By default the taxii server is defined as my.taxii_server.com. It'll be resolved as the front nginx for each container defined in the docker-compose.localhost cannot be used.
Instead, you can replace it with the hostname of the machine to access the taxii server from outside of the docker container. To do so you need to change my.taxii_server.com value in docker-compose.yml, .env, deployment_sample, nginx_proxy, conf.d and proxy.conf.
- If you don't want to clone this repo, copy the example docker-compose file and rename it to
docker-compose.yml, else just use the localdocker-compose.yml. No matter what you choose here, you will have to complete the following steps. - Create a file named
.envand copy the content oftemplate.envinto it, then fill the values like the following:
PYTHONUNBUFFERED=1
OCD_DTL_API_ENV=prod
[email protected]
OCD_DTL_PASSWORD=mysupersecretpassword1
OCD_DTL_API_LOG_LVL=20
OCD_DTL_TAXII_HOST=http://my.taxii_server.com:8080
OCD_DTL_TAXII_MONGO_URL=mongodb://root-username-in-docker-compose:password-in-docker-compose@mongo:27017/
OCD_DTL_TAXII_USER=mytaxiiuser
OCD_DTL_TAXII_PASSWORD=mysupertaxiipassword1
OCD_DTL_TAXII_VERIFY_SSL=False
Make sure to replace the values.
- Create a file named
medallion_config.jsonand copy the content oftemplate_medallion_config.jsoninto it, then fill the value like the following:
{
"backend": {
"module_class": "MongoBackend",
"uri": "mongodb://root-username-in-docker-compose:password-in-docker-compose@mongo:27017/"
},
"users": {
"mytaxiiuser": "mysupertaxiipassword1"
},
"taxii": {
"max_page_size": 100
}
}docker-compose.yml and .env.In particular username and password of mongo, as well as TAXII_USER and TAXII_PASSWORD.
- Create a file named
queries.jsonand copy the content oftemplate_queries.jsoninto it, then fill the value like the following:
{
"queries": [
{
"comment": "daily query",
"query_hash": "c86898ecf681cea394521d51499296a5",
"frequency": "24h",
"collection_id": "my_collection"
}
]
}https://datalake.cert.orangecyberdefense.com/api/v2/mrti/advanced-queries/threats/. The latter requiring you to already have a query_body, we recommend using the GUI.
- Copy the deployment_sample directory locally to configure nginx.
- Initialise the taxii db with:
make init- Then start ingesting threats with:
make runTo stop the container gracefully, allowing all the threats to be fully inserted, use:
docker stop -t 120 <container_name>To keep data between reboot, uncomment and fill the mongo and redis volumes fields.
If you are on an open network, you must secure connections to the taxii server with a certificate, from let's encrypt for example.
By default, nginx use an auto-signed certificate. Replace it in the following directory, as well as change the nginx config to not listen to 8080.
Remember to adapt your .env after that.
To run test, you will need to use the docker-compose.test.yml docker-compose file. If you made changes to the tests, make sure any required changes are made there.
Run the tests with the following command
make test