Skip to main content

TAXII 2 Feed

This Integration is part of the TAXII Feed Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Ingest indicator feeds from TAXII 2.0 and 2.1 servers.

Configure TAXII 2 Feed on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for TAXII 2 Feed.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
Fetch indicatorsFalse
Indicator ReputationIndicators from this integration instance will be marked with this reputationFalse
Source ReliabilityReliability of the source providing the intelligence dataTrue
Traffic Light Protocol ColorThe Traffic Light Protocol (TLP) designation to apply to indicators fetched from the feedFalse
Feed Fetch IntervalFalse
Bypass exclusion listWhen selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system.False
Discovery Service URL (e.g. https://example.net/taxii)True
Username / API KeyFalse
PasswordFalse
Collection Name To Fetch Indicators FromIndicators will be fetched from this collection. Run "taxii2-get-collections" command to get a valid value. If left empty, the instance will try to fetch from all the collections in the given discovery service.False
Incremental FeedIncremental feeds pull only new or modified indicators that have been sent from the integration. As the determination if the indicator is new or modified happens on the 3rd-party vendor's side, and only indicators that are new or modified are sent to Cortex XSOAR, all indicators coming from these feeds are labeled new or modified.False
Full Feed FetchWhen enabled, fetch-indicators will try to fetch the entire feed for every fetch. When disabled, fetch-indicators will try to fetch just the latest entries (since the last fetch).False
Max Indicators Per Fetch (disabled for Full Feed Fetch)The maximum number of indicators that can be fetched per fetch. If this field is left empty, there will be no limit on the number of indicators fetched.False
First Fetch TimeThe time interval for the first fetch (retroactive). <number> <time unit> of type minute/hour/day/year. For example, 1 minute, 12 hourFalse
STIX Objects To FetchFalse
Certificate File as TextAdd a certificate file as text to connect to the TAXII serverFalse
Key File as TextAdd a key file as text to connect to the TAXII serverFalse
Max STIX Objects Per PollSet the number of stix object that will be requested with each taxii poll (http request). A single fetch is made of several taxii polls. Changing this setting can help speed up fetches, or fix issues on slower networks. Please note server restrictions may apply, overriding and limiting the "requested limit".False
Complex Observation ModeChoose how to handle complex observations. Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR". e.g. `[ IP = 'b' ] AND [ URL = 'd' ]`False
Trust any certificate (not secure)False
Use system proxy settingsFalse
TagsSupports CSV values.False
Default API Root to useThe Default API Root to use (e.g. default, public). If left empty, the server default API root will be used. When the server has no default root, the first available API root will be used instead. Providing an API root that can't be reached will result in an error message with all possible API roots listed.False
  1. Click Test to validate the URLs, token, and connection.

Using API Token authentication#

In order to use the integration with an API token you'll first need to change the Username / API Key (see '?') field to _api_token_key. Following this step, you can now enter the API Token into the Password field - this value will be used as an API key.

Using custom authentication header#

In case the TAXII 2 server you're trying to connect to requires a custom authentication header, you'll first need to change the Username / API Key (see '?') field to _header: and the custom header name, e.g. _header:custom_auth. Following this step, you can now enter the custom auth header value into the Password field - this value will be used as a custom auth header.

Complex Observation Mode#

Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR", and "FOLLOWEDBY". e.g. [ IP = 'b' ] AND [ URL = 'd' ]. These relationships are not represented in in CORTEX XSOAR TIM indicators. You can opt to create them while ignoring these relations, or you can opt to ignore these expressions - if you chose the latter, then no indicator will be created for complex observations.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

taxii2-get-indicators#


Allows you to test your feed and to make sure you can fetch indicators successfuly.

Base Command#

taxii2-get-indicators

Input#

Argument NameDescriptionRequired
rawWill return only the rawJSON of the indicator object.Optional
limitMaximum number of indicators to fetch.Optional
added_afterFetch only indicators that were added to the server after the given time. Please provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days.Optional

Context Output#

PathTypeDescription
TAXII2.Indicators.typeStringIndicator type.
TAXII2.Indicators.valueStringIndicator value.
TAXII2.Indicators.rawJSONStringIndicator rawJSON.

Command Example#

!taxii2-get-indicators limit=3

Human Readable Output#

valuetype
coronashop.jpDomain
e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88eFile
2014[.]zzux[.]comDomain

taxii2-get-collections#


Gets the list of collections from the discovery service.

Base Command#

taxii2-get-collections

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
TAXII2.Collections.IDStringCollection ID.
TAXII2.Collections.NameStringCollection Name.

Command Example#

!taxii2-get-collections

Human Readable Output#

NameID
Phish Tank107
Abuse.ch Ransomware IPs135
Abuse.ch Ransomware Domains136
DShield Scanning IPs150
Malware Domain List - Hotlist200
Blutmagie TOR Nodes209
Emerging Threats C&C Server31
DT COVID-19313
Lehigh Malwaredomains33
CyberCrime41
Emerging Threats - Compromised68

taxii2-reset-fetch-indicators#


WARNING: This command will reset your fetch history.

Base Command#

taxii2-reset-fetch-indicators

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!taxii2-reset-fetch-indicators

Human Readable Output#

Fetch was reset successfully. Your next indicator fetch will collect indicators from the configured "First Fetch Time"