The ThreatConnect® TAXII™ server can be used by an external TAXII client to retrieve data from a ThreatConnect user’s Organization and any Communities or Sources to which the user has access. To connect to the ThreatConnect TAXII server, the external TAXII client will require login credentials (username and password), which are configured by creating a TAXII user, as detailed in this document.
The TAXII client will also require a Discovery URL of the form https://api.threatconnect.com/taxii/discovery. The POLL URL is of the form https://api.threatconnect.com/taxii/poll. The exact URL will differ for users on a private instance of ThreatConnect. Refer to https://docs.threatconnect.com/en/latest/rest_api/taxii/taxii.html for details on the API endpoints for working with TAXII in ThreatConnect.
The ThreatConnect TAXII Server supports Discovery, Collection-Management, and POLL requests, including multi-part POLL exchanges. TAXII 1.1 documentation may be found at https://taxiiproject.github.io/releases/1.1/TAXII_Services_Specification.pdf.
Creating a TAXII User
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select ORG SETTINGS from the dropdown menu (Figure 2).
- The Organization Settings screen will appear (Figure 3).
- Click the Create TAXII User button, and the TAXII User Administration window will appear (Figure 4).
- Username: Click inside the box to enter a name for the TAXII user.
- Password: Click inside the box to enter a password for the TAXII user.
- Pseudonym: Click inside the box to enter a pseudonym for the TAXII user. Owners of Communities and Sources to which the user belongs will see this name when viewing their members.
- Translator Version: Click on the dropdown menu to choose the type of data that can be delivered by the TAXII server. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
- Package TLP: Click on the dropdown menu to select the option for the Traffic Light Protocol (TLP) level on the data delivered by the TAXII server.
- ID Prefix: Click on the dropdown menu to select the namespace prefix for generated STIX IDs.
- Locked: Click the checkbox to lock the TAXII user’s account.
- Disabled: Click the checkbox to disable the TAXII user’s account.
NOTE: The total number of TAXII users created cannot exceed the number allowed by the API limit.
NOTE: Each TAXII user uses a different API key when employing TAXII for defensive integrations.
TAXII™ is a trademark of The MITRE Corporation.