- 08 Aug 2022
- 3 Minutes to read
Using the ThreatConnect TAXII Server
- Updated on 08 Aug 2022
- 3 Minutes to read
Minimum Role: Organization role of Organization Administrator (for creating a TAXII user account)
Prerequisites: Your Organization’s TAXII User Limit must be set to a value greater than zero; A TAXII user account is required in order to retrieve data from the ThreatConnect TAXII 1.x server
The ThreatConnect® TAXII™ 1.x server can be used by an external TAXII client to retrieve data from your Organization and any Communities or Sources to which you have access. To connect to the ThreatConnect TAXII server, the external TAXII client will require login credentials (username and password), which are configured by creating a TAXII user, as detailed in this article. For instructions on using the TAXII 2.1 server in ThreatConnect, see Using the ThreatConnect TAXII 2.1 Server.
The TAXII client will also require a Discovery URL of the form http://api.threatconnect.com/taxii/discovery. The POLL URL is of the form http://api.threatconnect.com/taxii/poll. The exact URL will differ for users on a private instance of ThreatConnect. Refer to https://docs.threatconnect.com/en/latest/rest_api/taxii/taxii.html for details on the API endpoints available with the TAXII 1.x server in ThreatConnect.
The ThreatConnect TAXII 1.x server supports Discovery, Collection-Management, and POLL requests, including multi-part POLL exchanges. TAXII 1.1 documentation may be found at https://taxiiproject.github.io/releases/1.1/TAXII_Services_Specification.pdf.
Creating a TAXII User
- On the top navigation bar, hover the cursor over Settings and select Org Settings. The Organization Settings screen will be displayed (Figure 1).
- Click the Create TAXII User button. The TAXII User Administration window will be displayed (Figure 2).
- TAXII Service: Keep the selection of Core TAXII Service. Any other menu options are for TAXII 2.1 services.
- Username: Enter a name for the TAXII user.
- Password: Enter a password for the TAXII user.
- Pseudonym: A pseudonym is created automatically and cannot be edited. Owners of Communities and Sources to which the user belongs will see this name when viewing their members.
- Translator Version: Select the type of data that can be delivered by the TAXII server. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX™ Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
- Package TLP: Select the Traffic Light Protocol (TLP) level that will be added to the STIX package provided by the server. Selecting Most Restrictive Content TLP will label the package with the highest-level TLP marking found in the outbound content. Selecting a specific TLP color or None will consistently mark all outbound packages as such. The following is example XML for the TLP marking provided in the STIX header of the STIX package:
<stix:STIX_Header> <stix:Title>Report: System</stix:Title> <stix:Package_Intent>INDICATORS</stix:Package_Intent> <stix:Handling> <marking:Marking> <marking:Marking_Structure color="RED" xsi:type="tlpMarking:TLPMarkingStructureType"/> </marking:Marking> </stix:Handling> </stix:STIX_Header>
- ID Prefix: Select the namespace prefix for generated STIX IDs.
- Organization Role: An Organization role of Standard User is selected automatically and cannot be changed.
- Locked: Select this checkbox to lock the TAXII user’s account.
- Disabled: Select this checkbox to disable the TAXII user’s account.
- Click the SAVE button.
You can now log into a TAXII client using your new credentials to access the ThreatConnect TAXII 1.x server and retrieve data from your Organization, Communities, and Sources.
Retrieving Data from the TAXII 1.x Server
Instructions on retrieving data from the ThreatConnect TAXII 1.x server using your TAXII user account are available at docs.threatconnect.com/en/latest/rest_api/taxii/taxii.html.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
STIX™ and TAXII™ are trademarks of The MITRE Corporation.