TAXII 2 Feed
Ingest indicator feeds from TAXII 2.0 and 2.1 servers.
Configure TAXII 2 Feed on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services.
- Search for TAXII 2 Feed.
- Click Add instance to create and configure a new integration instance.
| Parameter | Required |
|---|---|
| Fetch indicators | False |
| Indicator Reputation | False |
| Source Reliability | True |
| Feed Fetch Interval | False |
| Bypass exclusion list | False |
| Discovery Service URL (e.g. https://example.net/taxii\) | True |
| Username / API Key / Custom Auth Header | False |
| Collection Name To Fetch Indicators From | False |
| Full Feed Fetch | False |
| Max Indicators Per Fetch (disabled for Full Feed Fetch) | False |
| First Fetch Time | False |
| Filter Arguments | False |
| Max STIX Objects Per Poll | False |
| Complex Observation Mode | False |
| Trust any certificate (not secure) | False |
| Use system proxy settings | False |
| Tags | False |
- Click Test to validate the URLs, token, and connection.
Using API Token authentication
In order to use the integration with an API token you'll first need to change the Username / API Key (see '?') field to _api_token_key. Following this step, you can now enter the API Token into the Password field - this value will be used as an API key.
Using custom authentication header
In case the TAXII 2 server you're trying to connect to requires a custom authentication header, you'll first need to change the Username / API Key (see '?') field to _header: and the custom header name, e.g. _header:custom_auth. Following this step, you can now enter the custom auth header value into the Password field - this value will be used as a custom auth header.
Complex Observation Mode
Two or more Observation Expressions MAY be combined using a complex observation operator such as "AND", "OR", and "FOLLOWEDBY". e.g. [ IP = 'b' ] AND [ URL = 'd' ]. These relationships are not represented in in CORTEX XSOAR TIM indicators. You can opt to create them while ignoring these relations, or you can opt to ignore these expressions - if you chose the latter, then no indicator will be created for complex observations.
Commands
You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
taxii2-get-indicators
Allows you to test your feed and to make sure you can fetch indicators successfuly.
Base Command
taxii2-get-indicators
Input
| Argument Name | Description | Required |
|---|---|---|
| raw | Will return only the rawJSON of the indicator object. | Optional |
| limit | Maximum number of indicators to fetch. | Optional |
| added_after | Fetch only indicators that were added to the server after the given time. Please provide a <number> and <time unit> of type minute/hour/day. For example, 1 minute, 12 hour, 24 days. | Optional |
| filter_args | TAXII filter arguments. Comma-separated values e.g.: "added_after=<date>,revoked=true". | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| TAXII2.Indicators.type | String | Indicator type. |
| TAXII2.Indicators.value | String | Indicator value. |
| TAXII2.Indicators.rawJSON | String | Indicator rawJSON. |
Command Example
!taxii2-get-indicators limit=3
Human Readable Output
| value | type |
|---|---|
| coronashop.jp | Domain |
| e6ecb146f469d243945ad8a5451ba1129c5b190f7d50c64580dbad4b8246f88e | File |
| 2014[.]zzux[.]com | Domain |
taxii2-get-collections
Gets the list of collections from the discovery service.
Base Command
taxii2-get-collections
Input
There are no input arguments for this command.
Context Output
| Path | Type | Description |
|---|---|---|
| TAXII2.Collections.ID | String | Collection ID. |
| TAXII2.Collections.Name | String | Collection Name. |
Command Example
!taxii2-get-collections
Human Readable Output
| Name | ID |
|---|---|
| Phish Tank | 107 |
| Abuse.ch Ransomware IPs | 135 |
| Abuse.ch Ransomware Domains | 136 |
| DShield Scanning IPs | 150 |
| Malware Domain List - Hotlist | 200 |
| Blutmagie TOR Nodes | 209 |
| Emerging Threats C&C Server | 31 |
| DT COVID-19 | 313 |
| Lehigh Malwaredomains | 33 |
| CyberCrime | 41 |
| Emerging Threats - Compromised | 68 |
taxii2-reset-fetch-indicators
WARNING: This command will reset your fetch history.
Base Command
taxii2-reset-fetch-indicators
Input
There are no input arguments for this command.
Context Output
There is no context output for this command.
Command Example
!taxii2-reset-fetch-indicators
Human Readable Output
Fetch was reset successfully. Your next indicator fetch will collect indicators from the configured "First Fetch Time"