TAXII 2 Feed

Ingest indicator feeds from TAXII 2.0 and 2.1 servers.

Configure TAXII 2 Feed on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for TAXII 2 Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterRequired
Fetch indicatorsFalse
Indicator ReputationFalse
Source ReliabilityTrue
Traffic Light Protocol ColorFalse
Feed Fetch IntervalFalse
Bypass exclusion listFalse
Discovery Service URL (e.g. https://example.net/taxii\)True
Username / API Key / Custom Auth HeaderFalse
Collection Name To Fetch Indicators FromFalse
Full Feed FetchFalse
Max Indicators Per Fetch (disabled for Full Feed Fetch)False
First Fetch TimeFalse
Filter ArgumentsFalse
Max STIX Objects Per PollFalse
Complex Observation ModeFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
TagsFalse
  1. Click Test to validate the URLs, token, and connection.

Using API Token authentication

In order to use the integration with an API token you'll first need to change the Username / API Key (see '?') field to _api_token_key. Following this step, you can now enter the API Token into the Password field - this value will be used as an API key.

Using custom authentication header

In case the TAXII 2 server you're trying to connect to requires a custom authentication header, you'll first need to change the Username / API Key (see '?') field to _header: and the custom header name, e.g. _header:custom_auth. Following this step, you can now enter the custom auth header value into the Password field - this value will be used as a custom auth header.

Complex Observation Mode

Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR", and "FOLLOWEDBY". e.g. [ IP = 'b' ] AND [ URL = 'd' ]. These relationships are not represented in in CORTEX XSOAR TIM indicators. You can opt to create them while ignoring these relations, or you can opt to ignore these expressions - if you chose the latter, then no indicator will be created for complex observations.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

taxii2-get-indicators


Allows you to test your feed and to make sure you can fetch indicators successfuly.

Base Command

taxii2-get-indicators

Input

Argument NameDescriptionRequired
rawWill return only the rawJSON of the indicator object.Optional
limitMaximum number of indicators to fetch.Optional
added_afterFetch only indicators that were added to the server after the given time. Please provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days.Optional
filter_argsTAXII filter arguments. Comma-separated values e.g.: "added_after=<date>,revoked=true".Optional

Context Output

PathTypeDescription
TAXII2.Indicators.typeStringIndicator type.
TAXII2.Indicators.valueStringIndicator value.
TAXII2.Indicators.rawJSONStringIndicator rawJSON.

Command Example

!taxii2-get-indicators limit=3

Human Readable Output

valuetype
coronashop.jpDomain
e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88eFile
2014[.]zzux[.]comDomain

taxii2-get-collections


Gets the list of collections from the discovery service.

Base Command

taxii2-get-collections

Input

There are no input arguments for this command.

Context Output

PathTypeDescription
TAXII2.Collections.IDStringCollection ID.
TAXII2.Collections.NameStringCollection Name.

Command Example

!taxii2-get-collections

Human Readable Output

NameID
Phish Tank107
Abuse.ch Ransomware IPs135
Abuse.ch Ransomware Domains136
DShield Scanning IPs150
Malware Domain List - Hotlist200
Blutmagie TOR Nodes209
Emerging Threats C&C Server31
DT COVID-19313
Lehigh Malwaredomains33
CyberCrime41
Emerging Threats - Compromised68

taxii2-reset-fetch-indicators


WARNING: This command will reset your fetch history.

Base Command

taxii2-reset-fetch-indicators

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!taxii2-reset-fetch-indicators

Human Readable Output

Fetch was reset successfully. Your next indicator fetch will collect indicators from the configured "First Fetch Time"