Using the ThreatConnect TAXII Server
  • 21 Mar 2024
  • 3 Minutes to read
  • Dark

Using the ThreatConnect TAXII Server

  • Dark

Article summary


The ThreatConnect® TAXII™ 1.x server can be used by an external TAXII client to retrieve data from your Organization and any Communities or Sources to which you have access. To connect to the ThreatConnect TAXII server, the external TAXII client will require login credentials (username and password), which are configured by creating a TAXII user, as detailed in this article. For instructions on using the TAXII 2.1 server in ThreatConnect, see Using the ThreatConnect TAXII 2.1 Server.

The TAXII client will also require a Discovery URL of the form The POLL URL is of the form The exact URL will differ for users on a private instance of ThreatConnect. Refer to for details on the API endpoints available with the TAXII 1.x server in ThreatConnect.

The ThreatConnect TAXII 1.x server supports Discovery, Collection-Management, and POLL requests, including multi-part POLL exchanges. TAXII 1.1 documentation may be found at

Before You Start

Minimum Role(s)Organization role of Organization Administrator (for creating a TAXII user account)
  • Your Organization’s TAXII User Limit must be set to a value greater than zero 
  • A TAXII user account is required in order to retrieve data from the ThreatConnect TAXII 1.x server

Creating a TAXII User

  1. On the top navigation bar, hover the cursor over Settings A picture containing text, clipart, light  Description automatically generated and select Org Settings. The Organization Settings screen will be displayed (Figure 1).

    Graphical user interface, text, application, email  Description automatically generated


  2. Click the Create TAXII User button. The TAXII User Administration window will be displayed (Figure 2).

    Graphical user interface, application  Description automatically generated


    • TAXII Service: Keep the selection of Core TAXII Service. Any other menu options are for TAXII 2.1 services.
    • Username: Enter a name for the TAXII user.
    • Password: Enter a password for the TAXII user.
    • Pseudonym: A pseudonym is created automatically and cannot be edited. Owners of Communities and Sources to which the user belongs will see this name when viewing their members.
    • Translator Version: Select the type of data that can be delivered by the TAXII server. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX™ Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
    • Package TLP: Select the Traffic Light Protocol (TLP) level that will be added to the STIX package provided by the server. Selecting Most Restrictive Content TLP will label the package with the highest-level TLP marking found in the outbound content. Selecting a specific TLP color or None will consistently mark all outbound packages as such. The following is example XML for the TLP marking provided in the STIX header of the STIX package:
      <stix:Title>Report: System</stix:Title>
      <marking:Marking_Structure color="RED" xsi:type="tlpMarking:TLPMarkingStructureType"/>
    • ID Prefix: Select the namespace prefix for generated STIX IDs.
    • Organization Role: An Organization role of Standard User is selected automatically and cannot be changed.
    • Locked: Select this checkbox to lock the TAXII user’s account.
    • Disabled: Select this checkbox to disable the TAXII user’s account.
  3. Click the SAVE button.
The total number of TAXII users created cannot exceed the number allocated by the API limit.
Each TAXII user uses a different API key when employing TAXII for defensive integrations.

You can now log into a TAXII client using your new credentials to access the ThreatConnect TAXII 1.x server and retrieve data from your Organization, Communities, and Sources.

Retrieving Data from the TAXII 1.x Server

Instructions on retrieving data from the ThreatConnect TAXII 1.x server using your TAXII user account are available at

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
STIX™ and TAXII™ are trademarks of The MITRE Corporation.

20065-01 v.06.C

Was this article helpful?

What's Next