TAXII

Version: 2.0.0

TAXII is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. This specification defines the TAXII RESTful API and its resources along with the requirements for TAXII Client and Server implementations.

Connect TAXII with Logichub

  1. Navigate to Automations > Integrations.
  2. Search for TAXII.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Server URL: Server URL to access Power BI.
    • Username: Username to access Power BI.
    • Password: Password to access Power BI.
    • API Version: Select Api Version to access Power BI.
  4. After you've entered all the details, click Connect.

List Collections

List collections from TAXII API

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

{
  "collections": [
    {
      "id": "3asdfcc9-8d9e-4f06-a995-basdfafd91",
      "title": "automated-high-asdf",
      "description": "Groups packages containing Indicators with High Confidence Score and TLP values GREEN, and WHITE",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/taxii+json;version=2.1"
      ]
    },
    {
      "id": "1asdf8a8-53cc-41c6-861b-easdf6cfce3",
      "title": "automated-high-asdf",
      "description": "Groups packages containing Indicators with High Confidence Score and TLP values RED, AMBER, GREEN, and WHITE",
      "can_read": true,
      "can_write": false,
      "media_types": [
        "application/taxii+json;version=2.1"
      ]
    }
  ],
  "error": null,
  "has_error": false
}

Get Collection

Get collection by collection Id.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Collection IDJinja-templated text containing the Collection IdRequired

Output

JSON containing the following items:

{
  "can_write": false,
  "description": "Groups packages containing Indicators with High Confidence Score and TLP values GREEN, and WHITE",
  "has_error": false,
  "id": "3easdf9-8d9e-4f06-a995-b1asdffd91",
  "error": null,
  "media_types": [
    "application/taxii+json;version=2.1"
  ],
  "title": "automated-high-impact",
  "can_read": true
}

List Objects

List objects by collection Id

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Collection IDJinja-templated text containing the CollectionRequired
FiltersJinja-templated text containing the filter. Example 'match[id]=123f12&match[type]=indicator'Optional

Output

JSON containing the following items:

{
  "objects": [
    {
      "id": "indicator--2asdf7b-c8bb-407c-b815-e6basdfec35",
      "pattern": "[file:hashes.MD5 = '0c473dcabasdf4fedfed7717b']",
      "confidence": 85,
      "lang": "en",
      "type": "indicator",
      "created": "2020-05-19T09:33:13.743Z",
      "modified": "2020-05-19T09:33:13.743Z",
      "name": "Linked Hashes: 0c473dcabasdasdf4fedfed7717b",
      "valid_from": "2020-05-19T09:33:11.794725Z",
      "pattern_type": "stix",
      "object_marking_refs": [
        "marking-definition--3asdffce-860f-48ae-8e50-ebasdfe41da"
      ],
      "labels": [
        "tactic:label"
      ],
      "indicator_types": [
        "anomalous-activity"
      ],
      "pattern_version": "2.1",
      "spec_version": "2.1"
    },
    {
      "id": "marking-definition--f8asdf6-486f-44da-b317-01asdf0b82",
      "created": "2017-01-20T00:00:00.000Z",
      "definition_type": "tlp",
      "name": "TLP:label",
      "definition": {
        "tlp": "amber"
      },
      "type": "marking-definition",
      "spec_version": "2.1"
    }
  ],
  "more": false,
  "error": null,
  "has_error": false
}

Server Discovery

Get server discovery

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

{
  "description": "abc Exchange TAXII 2.1 server contains 1 API Root",
  "api_roots": [
    "https://taxii.abc.com/ctixapi/ctix21/"
  ],
  "contact": "Please contact abc.",
  "has_error": false,
  "error": null,
  "default": "https://taxii.abc.com/ctixapi/ctix21/",
  "title": "abc Exchange TAXII 2.1 Server"
}

Get API Root Information

Get API root information

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

{
  "description": "TAXII 2.1 service for abc user",
  "versions": [
    "application/taxii+json;version=2.1"
  ],
  "has_error": false,
  "error": null,
  "title": "abc TAXII 2.1 API Root",
  "max_content_length": 10000000
}

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.0.2 - Added 5 actions : Get Collections, Get A Collection, Get Objects, Server Discovery and Get API Root Information.

© Devo Technology Inc. All Rights Reserved.