Using the ThreatConnect TAXII Server

Last Updated: Dec 27, 2018 10:20AM EST
Organization Administrator


The ThreatConnect® TAXII™ server can be used by an external TAXII client to retrieve data from a ThreatConnect user’s Organization and any Communities or Sources to which the user has access. To connect to the ThreatConnect TAXII server, the external TAXII client will require login credentials (username and password), which are configured by creating a TAXII user, as detailed in this document.

The TAXII client will also require a Discovery URL of the form The POLL URL is of the form The exact URL will differ for users on a private instance of ThreatConnect. Refer to for details on the API endpoints for working with TAXII in ThreatConnect.

The ThreatConnect TAXII Server supports Discovery, Collection-Management, and POLL requests, including multi-part POLL exchanges. TAXII 1.1 documentation may be found at

Creating a TAXII User

  1. On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select ORG SETTINGS from the dropdown menu (Figure 2).
  2. The Organization Settings screen will appear (Figure 3).
  3. Click the Create TAXII User button, and the TAXII User Administration window will appear (Figure 4).
    • Username: Click inside the box to enter a name for the TAXII user.
    • Password: Click inside the box to enter a password for the TAXII user.
    • Pseudonym: Click inside the box to enter a pseudonym for the TAXII user. Owners of Communities and Sources to which the user belongs will see this name when viewing their members.
    • Translator Version: Click on the dropdown menu to choose the type of data that can be delivered by the TAXII server. STIX 1.1.1 Indicators TC_V2 is the recommended translator. It converts ThreatConnect Indicators to individual STIX Indicators and is compatible with the TC_V2 Parser. It also inserts pipe-delimited metadata (Description, Source, Threat Rating, ThreatAssess score, False Positives, and Owner) into each Indicator’s description and includes Observations and Confidence Rating in separate STIX fields. STIX 1.1.1 Indicators TC_V1 (Legacy Translator) aggregates multiple ThreatConnect Indicators into a single watchlist for a particular type of Indicator and is compatible with the TC_V1 Parser.
    • Package TLP: Click on the dropdown menu to select the option for the Traffic Light Protocol (TLP) level on the data delivered by the TAXII server.
    • ID Prefix: Click on the dropdown menu to select the namespace prefix for generated STIX IDs.
    • Locked: Click the checkbox to lock the TAXII user’s account.
    • Disabled: Click the checkbox to disable the TAXII user’s account.
  4. Click the SAVE button.

    NOTE: The total number of TAXII users created cannot exceed the number allowed by the API limit.

    NOTE: Each TAXII user uses a different API key when employing TAXII for defensive integrations.

  5. Log into a TAXII client using your new credentials in order to access the ThreatConnect TAXII server and start retrieving data from your Organization, Communities, and Sources.
  TAXII™ is a trademark of The MITRE Corporation.

20065-02 EN Rev. D

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found