Before you run Threat Intelligence in your instance, you must download it from the ServiceNow Store. You can also set up properties and define a threat source.

Install Threat Intelligence

Before you run Threat Intelligence in your instance, you must download it from the ServiceNow Store.

Before you begin

Complete the following setup checklist prior to installation. These setup tasks are required for a smooth installation and configuration.
Setup tasks Description

Verify that you have the required ServiceNow roles for your instance.

 The following roles are required for installation, configuration, and verification of expected results:
  • If not already assigned, the System Administrator [admin] installs the application and assigns the Threat Admin [sn_ti.admin] role.
  • The Threat Admin [sn_ti.admin] oversees configuration and verifies expected results.
Role required: admin

Procedure

Follow the instructions for downloading an application from the ServiceNow Store.

What to do next

Set Threat Intelligence properties.

Components installed with Threat Intelligence

Several types of components are installed with activation of the Threat Intelligence plugin, including tables and user roles.

Note: The Application Files table lists the components that are installed with this application. For instructions on how to access this table, see Find components installed with an application.

Demo data is available for this feature.

Roles installed

Role title [name]DescriptionContains roles
Threat Administrator

[sn_ti.admin]

 Has full control over all threat properties, SLAs, and notifications. sn_ti.write
Threat Reader

[sn_ti.read]

 Has read access to threat information. sn.sec_cmn.int_read
Threat Writer

[sn_ti.write]

 Has write access to threat information.

Cannot delete attack modes, indicators nor observables. Only a Threat Administrator can delete them.
  • sn_sec_cmn.int_write
  • sn_ti.read

MITRE Analyst

[sn_ti.mitre_analyst]

This role enables read access to the MITRE-ATT&CK modules in Threat Intelligence and to the SIR module.
  • sn_ti.read
  • sn_si.read

Tables installed

TableDescription
Attack mechanism

[sn_ti_attack_mechanism]

 Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method

[sn_ti_attack_mode]

 Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method

[sn_ti_discovery_method]

 An expression of how an incident was discovered.
Feed

[sn_ti_feed]

 Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method

[sn_ti_m2m_indicator_attack_mode]

 Used to map attack modes/methods to indicators.
Indicator of Compromise

[sn_ti_indicator]

 Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator of Compromise Metadata

[sn_ti_indicator_metadata]

 Used to populate TAXII records.
Indicator Source

[sn_ti_m2m_indicator_source]

 Used to collect all the sources reporting the specific indicator.
Indicator Type

[sn_ti_indicator_type]

 Characterizes a cyberthreat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on.
Associated Indicator Type

[sn_ti_m2m_indicator_indicator_type]

 Links indicators with their applicable types
Incident count

[sn_ti_observable]

 Number of security incidents associated with an observable.
Intended effect

[sn_ti_intended_effect]

 Used for expressing the intended effect of a threat actor.
IP Scan Result

[sn_ti_ip_result]

 Used to show the results of an IP lookup.
Malware Rate limit

[sn_ti_rate_limit]

 Defines a rate limit to be used on a lookup source.
Malware Scan

[sn_ti_scan]

 A lookup. Contains what to look up, with what look up source, and a summary of the lookup results.
Malware Scan Queue Entry

[sn_ti_scan_q_entry]

 A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits.
Malware Scan Result

[sn_ti_scan_result]

 Displays the result of a lookup.
Malware Scanner

[sn_ti_scanner]

 Defines third-party lookup sources to use in performing lookups.
Malware Scanner Rate Limit

[sn_ti_scanner_rate_limit]

 Associates a lookup source with a rate limit.
Malware Type

[sn_ti_malware_type]

 Used for expressing the types of malware instances.
Observable

[sn_ti_observable]

 Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Context Type

[sn_ti_observable_context_type]

 Stores the context (source, destination of an IP address, and so forth) for an observable.
Observable Indicator

[sn_ti_m2m_observable_indicator]

 Used to relate observables to indicators.
Observable Source

[sn_ti_observable_source]

 Used to relate observables to threat sources.
Observable Type

[sn_ti_observable_type]

 Lists the various types of observables, such as IP addresses.
Observable Type Category

[sn_ti_observable_type_category]

 Stores the first categorization of observables (for example, IP addresses and URLs). It is used for more accurately determining observable types.
Related attack mode/method

[sn_ti_m2m_attack_mode_attack_mode]

 Used to relate attack modes to each other.
Related Observables

[sn_ti_m2m_observables]

 Used to relate observables to each other.
Scan type

[sn_ti_scan_type]

 The definition of a lookup type, with initial records for File, URL, and IP.
Security Case

[sn_ti_case]

 Stores security case records created using Case Management.
Security Case IoC

[sn_ti_case_ioc]

 Used to manage the relationship between observables and cases.
Security Case Related Task

[sn_ti_m2m_case_task]

 Used to manage the relationship between tasks (security incidents, change requests, and so forth) with security cases.
Security Case Relationship Exclusion

[sn_ti_case_relationship_exclusion]

 Provides the definition of inclusion and exclusion of related records in security cases.
Sighting

[sn_ti_sighting]

 The m2m link between the observable and the Sightings Search detail result used in the execution of a Sighting Search request.
Sighting Configuration Items

[sn_ti_m2m_sighting_ci]

 Maps configuration items to a Sightings Search.
Sighting Search Detail

[sn_ti_sighting_search_detail]

 Details of a Sighting Search for example the number of internal external items found.
Sighting Search Result

[sn_ti_sighting_search]

 The header for a Sightings Search execution.
Supported Observable Types

[sn_ti_m2m_ind_type_obs_type]

 Relates indicator types to valid observable types.
Supported Scan Type

[sn_ti_supported_scan_type]

 Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type.
Task Attack mode/method

[sn_ti_m2m_task_attack_mode]

 Relates attack modes to tasks.
Task Indicator

[sn_ti_m2m_task_indicator]

 Relates indicators to tasks.
Task Observable

[sn_ti_m2m_task_observable]

 Relates observables to tasks.
Task Sighting

[sn_ti_m2m_task_sighting]

 Stores task records (security incidents and cases) related to a sighting record.
TAXII Collection

[sn_ti_taxii_collection]

 Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile

[sn_ti_taxii_profile]

 Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type

[sn_ti_threat_actor_type]

 Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source

[sn_ti_source]

 Defines a source for importing threat data.
Associated Attack Motivation

[sn_ti_stix2_m2m_object_attack_motivation]

 Collects all attack motivations associated with a STIX Object.
Associated Infrastructure Type

[sn_ti_stix2_m2m_infra_type]

 Links infrastructure with their types.
Associated Kill Chain Phase

[sn_ti_stix2_m2m_indicator_kill_chain_phase]

 Links kill chain phases to indicators.
Associated Kill Chain Phase

[sn_ti_stix2_m2m_object_kill_chain_phase]

 Links kill chain phases to STIX objects.
Associated Malware Capability

[sn_ti_stix2_m2m_malware_capability]

 Links malware with their capabilities.
Associated Malware Type

[sn_ti_stix2_m2m_malware_malware_type]

 Links malware with their types.
Associated Observable

[sn_ti_stix2_m2m_malware_observable]

 Collects all observables associated with a malware.
Associated Observable

[sn_ti_stix2_m2m_observed_data_observable]

 Collects all observables associated with an observed data.
Associated Report Type

[sn_ti_stix2_m2m_report_report_type]

 Links threat reports with their types.
Associated Threat Actor Role

[sn_ti_stix2_m2m_threat_actor_threat_actor_role]

 Links threat actors with their roles.
Associated Threat Actor Type

[sn_ti_stix2_m2m_threat_actor_threat_actor_type]

 Links threat actors with their types.
Associated Tool Type

[sn_ti_stix2_m2m_tool_tool_type]

 Links tools with their types.
Attack Motivation

[sn_ti_stix2_attack_motivation]

 Attack Motivation shapes the intensity and the persistence of an attack. Threat Actors and Intrusion Sets usually act in a manner that reflects their underlying emotion or situation, and this informs defenders of the manner of attack.
Attack Pattern

[sn_ti_stix2_attack_pattern]

 A TTP type that describes methods that adversaries use to attempt to compromise targets.
Campaign

[sn_ti_stix2_campaign]

 A grouping of adversarial behaviors that describe a set of malicious activities or attacks (sometimes named as waves) that occur over a period against a specific set of targets.
Course of Action

[sn_ti_stix2_course_of_action]

 A recommendation from a producer of intelligence to a consumer on the actions that they might take in response to intelligence.
External Reference

[sn_ti_stix2_external_reference]

 Pointers to information represented outside of STIX.
Identity Sighting

[sn_ti_stix2_m2m_sighting_identity]

 Collects all Identities associated with a Sighting.
Identity

[sn_ti_stix2_identity]

 Actual individuals, organizations, or groups (example ACME, Inc.) as well as classes of individuals, organizations, systems, or groups (example the finance sector).
Indicator External Reference

[sn_ti_stix2_indicator_external_reference]

 Represents external references associated with indicators.
Indicator Sighting

[sn_ti_stix2_indicator_sighting]

 Represents sightings of indicators.
Infrastructure Type

[sn_ti_stix2_infrastructure_type]

 Represents the various infrastructure types.
Infrastructure

[sn_ti_stix2_infrastructure]

 A TTP type that describes any systems, software services, and any associated physical or virtual resources, intended to support some purpose (example C2 servers used as part of an attack, device, or server that are part of defense, database servers targeted by an attack, and the like).
Installed software

[sn_ti_stix2_m2m_malware_analysis_sw]

 Collects all software (SCO software types) associated with a malware analysis.
Intrusion Set

[sn_ti_stix2_intrusion_set]

 A grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization.
Kill Chain Phase

[sn_ti_stix2_kill_chain_phase]

 Represents kill chain phases associated with a kill chain.
Kill Chain

[sn_ti_stix2_kill_chain]

 Represents various kill chains.
Location

[sn_ti_stix2_location]

 Represents a geographic location provided through STIX.
Malware Analysis

[sn_ti_stix2_malware_analysis]

 The metadata and results of a particular static or dynamic analysis performed on a malware instance or family.
Malware Capability

[sn_ti_stix2_malware_capability]

 Represents common capabilities that a malware family or instance exhibits.
Malware Operating System

[sn_ti_stix2_m2m_malware_operating_system]

 Collects all Operating Systems (SCO software types) associated with malware.
Malware

[sn_ti_stix2_malware]

 A TTP type that represents malicious code.
Marking Definition

[sn_ti_stix2_marking_definition]

 Represents handling or sharing requirements for STIX Objects.
Object Sighting

[sn_ti_stix2_object_sighting]

 Represents sightings of STIX Objects.
Object-Indicator Relationship

[sn_ti_stix2_m2m_object_indicator]

 Collects all relationships between STIX objects and STIX indicators.
Object-Object Relationship

[sn_ti_stix2_m2m_object]

 Collects all relationships between STIX Objects and other STIX objects excluding the indicators.
Object-Observable Relationship

[sn_ti_stix2_m2m_object_observable]

 Collects all relationships between STIX observables and STIX objects.
Observed Data Sighting

[sn_ti_stix2_m2m_sighting_observed_data]

 Collects all the observed data objects associated to a sighting.
Observed Data

[sn_ti_stix2_observed_data]

 Conveys information about cyber security-related entities such as files, systems, and networks using the STIX Cyber-Observable Objects (SCOs).
Report Type

[sn_ti_stix2_report_type]

 Represents primary purpose or subject of Threat Reports.
Reported Observable

[sn_ti_stix2_m2m_malware_analysis_observable]

 Collects all observables associated to Malware Analysis.
STIX V2 Object

[sn_ti_stix2_object]

 Common parent table for STIX Object.
STIX V2 Sighting

[sn_ti_stix2_sighting]

 Common parent table for STIX sighting tables.
Threat Actor Role

[sn_ti_stix2_threat_actor_role]

 Represents roles that can be played by threat actors.
Threat Actor

[sn_ti_stix2_threat_actor]

 Threat Actors are actual individuals, groups, or organizations believed to be operating with malicious intent.
Threat Grouping

[sn_ti_stix2_threat_grouping]

 Groups all the STIX Objects that share some common context.
Threat Note

[sn_ti_stix2_threat_note]

 Provides context and additional analysis not contained in the corresponding STIX Object.
Threat Opinion

[sn_ti_stix2_threat_opinion]

 Provides assessment of accuracy of information in a STIX object produced by a different entity.
Threat Report

[sn_ti_stix2_threat_report]

 Reports are collections of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. They are used to group-related threat intelligence together to publish as a comprehensive cyber threat story.
Tool Type

[sn_ti_stix2_tool_type]

 The categories of tools that can be used to perform attacks.
Tool

[sn_ti_stix2_tool]

 Tools are legitimate software that is used by threat actors to perform attacks.
Vulnerability

[sn_ti_stix2_vulnerability]

 Represents weakness or defect in the requirements, designs, or implementations of the computational logic (example code) found in software and some hardware components (example firmware). They can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.

Set Threat Intelligence properties

Threat Intelligence properties allow you to control how different aspects of the system function, including the setting of API keys.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to All > Threat Intelligence > Administration > Properties.
  2. Set the following properties, as needed.
    Table 1. Properties for Threat Intelligence
    PropertyDescription
    The domain name to retrieve additional information for IP addresses/URLs

    sn_ti.ip_lookup.web_site

    The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form.

    Default value: http://api.ipinfodb.com/v3/ip-country/

    Note: The pinfodb.com third-party API is available at no extra charge and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field.
    The API key to be used for the domain, if any

    sn_ti.ip_lookup.api_key

    The API key to use for retrieving additional information into your IoC database. This property is used (along with the sn_ti.ip_lookup.web_site property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
    Do not run automated threat lookup on an observable when the observable is associated with an IoC or found to be malicious.

    sn_ti.scan_ioc_before_sending

    Note: You need to define the duration in the next property (sn_ti.scan_ioc_num_days).

    Option to stop running the automated threat lookup on an observable when the observable is found to be malicious or associated with an IoC for the configured duration (in days). If you still need to run the threat look up for the observable, you can do it manually.

    Default value: Yes
    Duration (in days)

    sn_ti.scan_ioc_num_days

    Option to define the duration until which the automated threat lookup of the observable is skipped.

    Default value (in days): 30
    Do not run automated threat lookup on an observable if already run.

    sn_ti.enable_threat_lookup_bypass

    Note: You need to define the duration in the next property (sn_ti.threat_lookup_bypass_times).

    If there is a threat lookup result for an observable already available, then you have an option to skip the rerun of the automated threat lookup for the same observable until the configured duration has passed.

    Default value: No
    Note: If you're enabling this property, make sure that you are adding an appropriate value.
    Duration (in minutes)

    sn_ti.threat_lookup_bypass_time

    Option to define the duration after which the automated threat lookup of the observable can be rerun.

    Default value (in minutes): 0
    Set a validity duration for user overrides on observable finding.

    sn_ti.enable_observable_finding_system_override

    Note: You need to define the validity in the next property (sn_ti.observable_finding_override_expiry).
    		 Option to set a validity duration for user overrides on the observable findings. Threat lookup finding of the observable will not be changed by the base system during this validity duration.
    Default value: No.
    Note: If you're enabling this property, make sure that you are adding an appropriate value.
    Validity (in minutes)

    sn_ti.observable_finding_override_expiry

    		 Option to define the validity period of the observable finding.

    Default value (in minutes): none
    When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.attack_mode_inactivate_days

    Number of days from when an attack mode/method was last received for the record to be marked inactive.

    Default value: 360

    Note: The Active check box is not visible on the Attack mode/method form by default. However, you can add it. When attack modes/methods are inactive, they cannot be selected on other forms.
    When an indicator has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.indicator_inactivate_days

    Number of days from when an indicator was last received for the record to be marked inactive.

    Default value: 180

    Note: The Active check box is not visible on the Indicator form by default. However, you can add it. When indicators are inactive, they cannot be selected on other forms.
    The maximum payload size (in MB) for a STIX attachment that can be parsed.

    sn_ti.stix.max_payload_size

    Specifies the maximum payload size for the STIX attachment that you can parse.

    Default value: none

    Maximum allowed value: No limit.
    Maximum time in seconds an outbound HTTP connection waits to fetch TAXII collection data

    sn_ti.taxii.http.max_timeout

    Specifies the maximum amount of time an outbound HTTP connection waits before fetching the next packet of TAXII collection data.

    Default value: 300
    Maximum number of objects retrieved in one REST call from a TAXII server (Applicable only for TAXII versions 2.0 and 2.1)

    sn_ti.taxii.max_page_size

    Specifies the maximum number of objects retrieved in one REST call from the TAXII server for one page.

    Default value: 5000

    Maximum allowed value: 50000
    Maximum number of retries for a failed TAXII 2.X REST call

    sn_ti.taxii2.retry_count

    Specifies the maximum number of retries for a failed TAXII REST call.

    Default value: 3
  3. Click Save.

Define a threat source

You can maintain a list of Threat Intelligence threat sources. Each source includes the ability to define how often a source is queried. You can also execute a threat source on demand to import the needed Structured Threat Information eXpression (STIX) data.

Before you begin

Role required: sn_ti.admin

About this task

Threat Intelligence employs two technologies for importing threat-related information: STIX and Trusted Automated Exchange of Indicator Information (TAXII).

STIX provides a standardized, structured language for representing an extensive set of cyberthreat information that includes indicators of compromise (IoC) activity (for example, IP addresses and file hashes), as well as contextual information regarding threats, such as attack modes/methods, that together more completely characterize the motivations, capabilities, and activities of a cyber adversary. As such, STIX data provides valuable information on how your organization can best to defend against cyberthreats.

Trusted Automated Exchange of Indicator Information (TAXII) is used to facilitate automated exchange of cyberthreat information. TAXII defines a set of services and message exchanges that enable sharing of actionable cyberthreat information across organization and product/service boundaries for the detection, prevention, and mitigation of cyberthreats. TAXII profiles can be set up as repositories for sharing STIX-formatted information. Each profile contains one or more TAXII collections or feeds.

Procedure

  1. Navigate to All > Threat Intelligence > Sources > Threat Sources.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    FieldDescription
    Name The name of the threat source.
    Application The application that contains this record.
    Active Select this check box to activate the threat source.
    Advanced Select this check box to display the scripts in the Integration factory script and Report processor fields.
    Description A description of this threat source.
  4. Fill in the fields in the Schedule section, as appropriate.
    FieldDescription
    Run The frequency you want the integration to run, Daily, Weekly, Periodically, and so on. As noted, subsequent fields are displayed based on the setting of this field.
    Day The day you want the integration to run.
    • If you selected Weekly in the Run field, this field displays the days of the week.
    • If you selected Monthly in the Run field, this field displays the days of the month.
    Time The time you want the integration to start.
    Repeat Interval If you selected Periodically in the Run field, this field displays the number of days, and hours before the integration runs again.
    Starting If you selected Periodically in the Run field, this field displays the dates, and time to be used as the starting point for periodic updates.
    Conditional Select this field if you want to add conditional parameters.
    Condition If you selected the Conditional check box, enter the conditions here.
  5. Fill in the fields in the Threat Details section, as appropriate.
    FieldDescription
    Indicator The indicator to use when the data doesn’t explicitly provide one. For blocklists, if empty, a new indicator is created for each observable.
    Indicator type The indicator type to use for indicators that are created and the data doesn’t explicitly provide an indicator type.
    Attack Mode/Method The attack mode/method to use when the data doesn’t explicitly provide one.
    Observable Type The observable type to use for observables that are created and the data doesn’t explicitly provide an observable type.[SI1]
    Weight Enter a weight value for this source to be used in the confidence calculation.
    Note: The usage of the Indicator, Indicator Type, Attack Mode/Method, and Observable Type fields are implementation-specific. The default processor, SimpleBlocklistProcessor, behaves as the tooltips describe. However, a TAXII threat source is fully data driven. Any custom threat source processor would be able to use its own strategy. These fields are basically items to expose to the integration/processor and the implementation decides how to use them.
  6. Fill in the fields in the Source Details section, as appropriate.
    FieldDescription
    Endpoint Enter the web service endpoint URL where the threat source is accessed by Threat Intelligence. Click the lock icon to lock the URL.
    Use REST Message If you need a REST message to access the threat source, select this check box. The REST message and REST method fields become required.
    REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message.
    REST method Click the lookup icon, and select the REST method from the list or click New to define a new REST method.
    Integration script The default integration script is SimpleRESTSecurityDataIntegration. It runs a simple REST call, saves the response as an attachment, and then returns the attachment to the processor. This script meets the needs of most organizations. But if you want, you can click the lookup icon, and select a different integration script or define a new one.
    Integration factory script If the Advanced check box is selected, this field displays the actual script for constructing the integration script. You can edit the script as needed. This ability is useful for custom implementations. Integrations in the base system usually don’t need any custom constructor logic.
    Report processor The default integration script is SimpleBlocklistProcessor. This script is a simple processor that accepts a simple blocklist (simple, meaning a single column document with observables such as URLs or IP addresses) and creates observables. It uses the various Threat Details fields to determine which fields to set when observables are created.
    Processor factory script If the Advanced check box is selected, this field displays the actual script for constructing the processor. You can edit the script as needed. This script is generally useful for custom implementations. The integrations in the base system usually don’t need custom constructor logic.
  7. Click Submit.
    Note: For more information on how to configure the threat source's pagination, see KB1213825 article.

Create a TAXII profile

You can maintain TAXII profiles for sharing STIX-formatted information. Each profile contains one or more TAXII collections or feeds.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to All > Threat Intelligence > Sources > TAXII Profiles.
  2. Click New.
  3. Complete the following fields as appropriate.
    FieldDescription
    Name The name of the TAXII profile
    Application The application that contains this record.
    Use REST messages as template If you require a REST message to access the TAXII profile, select this check box.
    TAXII Version Specify the TAXII version. The supported STIX versions are 1.1, 2.0, and 2.1.
    Description A description of this TAXII profile.
  4. Fill in the fields in the Discovery Service Configuration section, as appropriate.
    FieldDescription
    Discovery Service endpoint Discovery Endpoint authorizes clients to obtain information about a TAXII Server and get a list of API Roots.
    Use REST message Select this option if you require a REST message to access the TAXII profile. The Discovery Service REST message and Discovery Service REST method fields become required.
    Discovery Service REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message.
    Discovery Service REST method Click the lookup icon, and select the REST message from the list or click New to define a new REST method.
  5. Fill in the fields in the Collection Service Configuration section, as appropriate.
    FieldDescription
    Collection Info Service endpoint A TAXII Collection is an interface to a logical repository of CTI objects provided by a TAXII Server and is used by TAXII Clients to send information to the TAXII Server or request information from the TAXII Server.

    A TAXII Server can host multiple Collections per API Root, and Collections are used to exchange information in a request–response manner.
    Use REST message Select this option if you require a REST message to access the TAXII profile. The Collection Info Service REST message and Collection Info Service REST method fields become required.
    Collection Info Service REST message Click the lookup icon, and select the REST message from the list or click New to define a new REST message.
    Collection Info Service REST method Click the lookup icon, and select the REST message from the list or click New to define a new REST method.
  6. Click Submit.