TQX - Getting Started Transcript 1 00:00:11.094 --> 00:00:19.519 The ThreatQ Data Exchange’s OpenDXL data transport enables bi-directional sharing of threat intelligence across multiple ThreatQ instances. 2 00:00:20.103 --> 00:00:23.815 This video will walk you through the process of creating your first connection. 3 00:00:24.607 --> 00:00:29.112 You can review all TQX OpenDXL requirements on the ThreatQ help center. 4 00:00:29.612 --> 00:00:33.158 For this video, we will be using a publisher and subscriber instance. 5 00:00:33.742 --> 00:00:37.537 ThreatQ instances start off as subscriber instances by default. 6 00:00:38.163 --> 00:00:43.168 In order to convert one of those instances into a publisher, you will need a TQX license. 7 00:00:43.710 --> 00:00:47.756 Applying a TQX license to an instance will convert it into a Publisher instance. 8 00:00:48.339 --> 00:00:55.388 From the publisher instance, click on the Data Exchange heading and select the Set Up Server option under the OpenDXL heading. 9 00:00:55.972 --> 00:00:58.183 The Data Exchange setup wizard will load. 10 00:00:58.641 --> 00:01:01.061 Click on the Setup Data Exchange button to begin. 11 00:01:01.644 --> 00:01:03.146 Enter the Name of your platform. 12 00:01:03.646 --> 00:01:07.609 This is the name that you will use to identify yourself on the connections page. 13 00:01:08.026 --> 00:01:11.613 Subscribers will also see this name when viewing their Topology view. 14 00:01:12.113 --> 00:01:15.325 You can change this name later but it will only affect your view. 15 00:01:15.784 --> 00:01:18.745 Subscribers will still see the name you entered for this step. 16 00:01:19.662 --> 00:01:23.708 The domain field is automatically populated based on your ThreatQ instance. 17 00:01:24.042 --> 00:01:27.378 Leave this field as is and click on the Next button to proceed. 18 00:01:28.046 --> 00:01:32.842 Update the Data Transport Name if desired, otherwise use the default entry. 19 00:01:33.301 --> 00:01:37.055 This name will be used to identify the Broker node in your Topology view. 20 00:01:37.722 --> 00:01:42.143 Subscribers are given the option to name the Data Transport during their connection setup. 21 00:01:42.727 --> 00:01:46.064 The name you enter in this field will not affect what Subscribers see. 22 00:01:46.689 --> 00:01:48.483 Click on the next button to proceed. 23 00:01:48.983 --> 00:01:56.866 Enter a Client Name and click on the Create Credentials button for each Subscriber you will connect to using the OpenDXL data transport. 24 00:01:57.408 --> 00:02:03.748 The names you enter here will only affect your Topology view as subscribers will be able to name their own instances. 25 00:02:04.499 --> 00:02:09.587 Download the credential files and transfer them to the administrators of the subscriber instances. 26 00:02:16.177 --> 00:02:19.180 Click on the Finish Setup button to close the wizard. 27 00:02:19.722 --> 00:02:22.684 The topology view will load after the wizard closes. 28 00:02:23.560 --> 00:02:26.896 The nodes represent the publisher transport and the data broker. 29 00:02:30.942 --> 00:02:36.406 Now we are switching to the subscriber instance, who has received the credentials from the publisher. 30 00:02:37.031 --> 00:02:40.910 Click on the Data Exchange Menu heading and select Set Up Server. 31 00:02:41.911 --> 00:02:44.038 The Data Exchange wizard will load. 32 00:02:44.289 --> 00:02:47.083 Click on the Connect to Data Exchange button to begin. 33 00:02:47.709 --> 00:02:49.210 Enter a name for your instance. 34 00:02:49.794 --> 00:02:52.964 This name will only be visible to you in your topology view. 35 00:02:53.673 --> 00:02:55.300 Click on the next button to proceed. 36 00:02:55.925 --> 00:02:59.012 Upload the client credentials file that you received from the publisher. 37 00:02:59.554 --> 00:03:04.601 You can update the Data Transport Name if desired, otherwise use the default entry. 38 00:03:05.143 --> 00:03:09.022 This name will be used to identify the transport node in your Topology view. 39 00:03:09.731 --> 00:03:12.400 Click on the Finish Setup button to complete the process. 40 00:03:12.859 --> 00:03:15.028 The subscriber’s topology view will load. 41 00:03:15.486 --> 00:03:19.115 It can take up to 30 seconds for the discovery process to complete. 42 00:03:19.699 --> 00:03:22.243 Refresh the page in order to see the new connection. 43 00:03:22.785 --> 00:03:28.791 After the instances have discovered each other, the OpenDXL Connections pages will show the connections. 44 00:03:29.417 --> 00:03:34.547 The publisher will now see the subscriber node and the subscriber will now see the publisher node. 45 00:03:36.549 --> 00:03:39.385 At this point, the two instances are now connected. 46 00:03:40.136 --> 00:03:44.807 Next, we are going to create our first Data Feed using the publisher instance. 47 00:03:45.558 --> 00:03:51.940 It is important to note that these steps can be used by a subscriber to create and share a data feed with the publisher. 48 00:03:52.857 --> 00:03:56.110 Click on the Data Exchange heading and select the Data Feeds option. 49 00:03:58.529 --> 00:04:00.031 The data feeds page will load. 50 00:04:00.490 --> 00:04:04.619 This page will display all incoming and outgoing data feeds for the instance. 51 00:04:05.286 --> 00:04:06.996 Click on the Create Feed button. 52 00:04:08.790 --> 00:04:10.708 Enter a name you want to use for your feed. 53 00:04:11.209 --> 00:04:14.003 Select the frequency in which the feed will be published. 54 00:04:15.964 --> 00:04:18.216 Enter an optional description for the data feed. 55 00:04:19.509 --> 00:04:22.303 Select which instance you want to share the data feed with. 56 00:04:23.137 --> 00:04:26.099 Publishers have the ability to select the Offer Feed to Public option. 57 00:04:27.267 --> 00:04:31.104 This allows any connected Subscriber instances to receive the feed. 58 00:04:31.646 --> 00:04:36.943 This option is not available to subscribers as they can only share their data feeds with the publisher. 59 00:04:37.527 --> 00:04:40.488 Select the Data collection to be used to send the data. 60 00:04:41.072 --> 00:04:50.039 You can also click on the Create a New Data Collection option to open the Threat Library in a new tab and create a Data Collection. 61 00:04:50.290 --> 00:04:55.753 Select the supporting context that should be included in the feed using the checkboxes supplied. 62 00:04:56.587 --> 00:05:00.174 Only fields used in the data exported are selectable. 63 00:05:00.800 --> 00:05:04.721 Fields not associated with the data collection selected are greyed out. 64 00:05:05.555 --> 00:05:08.975 Select the relational data to be included in the transfer. 65 00:05:09.726 --> 00:05:15.857 See the Data Feed section on the Help Center for specific relational data included per system object type. 66 00:05:16.482 --> 00:05:20.737 Lastly, you can choose to override the source of the feed with a new source name. 67 00:05:21.321 --> 00:05:23.823 We are leaving this option disabled for this video. 68 00:05:24.198 --> 00:05:28.661 Scroll to the top of the page and click on the Enable toggle switch to enable the feed. 69 00:05:29.287 --> 00:05:31.748 Then scroll to the bottom and click on the Save button. 70 00:05:35.710 --> 00:05:41.299 The recipients of the feed receive a system notification that a new feed is available for subscription. 71 00:05:41.841 --> 00:05:49.682 This notification includes a link to the OpenDXL Data Feeds page which allows the recipient to review feed details before subscribing. 72 00:05:51.559 --> 00:05:57.648 Subscribers can also see and subscribe to shared feeds from the topology view as well by clicking on their node. 73 00:05:58.358 --> 00:06:02.195 Here, we see that our Data feed is listed under the Incoming Feeds heading. 74 00:06:02.779 --> 00:06:09.202 Click on the toggle switch, select the default statuses for the object types, and then click on the Subscribe button. 75 00:06:09.660 --> 00:06:13.289 The subscriber is now subscribed to the data feed offered by the publisher. 76 00:06:14.082 --> 00:06:18.878 See the ThreatQ Help Center for more details on TQX’s OpenDXL Transport.