Document toolboxDocument toolbox

TAXII

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
3 min read
[ 1 Connect TAXII with Devo SOAR ] [ 1.1 List Collections ] [ 1.1.1 Input Field ] [ 1.1.2 Output ] [ 1.2 List Objects ] [ 1.2.1 Input Field ] [ 1.2.2 Output ] [ 1.3 Get API Root Information ] [ 1.3.1 Input Field ] [ 1.3.2 Output ] [ 2 Release Notes ]

TAXII is an application layer protocol for the communication of cyber threat information in a simple and scalable manner. This specification defines the TAXII RESTful API and its resources along with the requirements for TAXII Client and Server implementations.

Connect TAXII with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for TAXII.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Server URL: Server URL to access Power BI.

  8. Username: Username to access Power BI.

  9. Password: Password to access Power BI.

  10. API Version: Select Api Version to access Power BI.

  11. After you've entered all the details, click Connect.

List Collections

List collections from TAXII API

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

``` {json}{ "collections": [ { "id": "3asdfcc9-8d9e-4f06-a995-basdfafd91", "title": "automated-high-asdf", "description": "Groups packages containing Indicators with High Confidence Score and TLP values GREEN, and WHITE", "can_read": true, "can_write": false, "media_types": [ "application/taxii+json;version=2.1" ] }, { "id": "1asdf8a8-53cc-41c6-861b-easdf6cfce3", "title": "automated-high-asdf", "description": "Groups packages containing Indicators with High Confidence Score and TLP values RED, AMBER, GREEN, and WHITE", "can_read": true, "can_write": false, "media_types": [ "application/taxii+json;version=2.1" ] } ], "error": null, "has_error": false }

## Get Collection Get collection by collection Id. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------ | :---------------------------------------------------------------------- | :------- | | Collection ID | [Jinja-templated](doc:jinja-template) text containing the Collection Id | Required | ### Output JSON containing the following items: ``` {json}{ "can_write": false, "description": "Groups packages containing Indicators with High Confidence Score and TLP values GREEN, and WHITE", "has_error": false, "id": "3easdf9-8d9e-4f06-a995-b1asdffd91", "error": null, "media_types": [ "application/taxii+json;version=2.1" ], "title": "automated-high-impact", "can_read": true }

List Objects

List objects by collection Id

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Collection ID

Jinja-templated text containing the Collection

Required

Filters

Jinja-templated text containing the filter. Example 'match[id]=123f12&match[type]=indicator'

Optional

Output

JSON containing the following items:

``` {json}{ "objects": [ { "id": "indicator--2asdf7b-c8bb-407c-b815-e6basdfec35", "pattern": "[file:hashes.MD5 = '0c473dcabasdf4fedfed7717b']", "confidence": 85, "lang": "en", "type": "indicator", "created": "2020-05-19T09:33:13.743Z", "modified": "2020-05-19T09:33:13.743Z", "name": "Linked Hashes: 0c473dcabasdasdf4fedfed7717b", "valid_from": "2020-05-19T09:33:11.794725Z", "pattern_type": "stix", "object_marking_refs": [ "marking-definition--3asdffce-860f-48ae-8e50-ebasdfe41da" ], "labels": [ "tactic:label" ], "indicator_types": [ "anomalous-activity" ], "pattern_version": "2.1", "spec_version": "2.1" }, { "id": "marking-definition--f8asdf6-486f-44da-b317-01asdf0b82", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "name": "TLP:label", "definition": { "tlp": "amber" }, "type": "marking-definition", "spec_version": "2.1" } ], "more": false, "error": null, "has_error": false }

## Server Discovery Get server discovery ### Input Field Choose a connection that you have previously created. ### Output JSON containing the following items: ``` {json}{ "description": "abc Exchange TAXII 2.1 server contains 1 API Root", "api_roots": [ "https://taxii.abc.com/ctixapi/ctix21/" ], "contact": "Please contact abc.", "has_error": false, "error": null, "default": "https://taxii.abc.com/ctixapi/ctix21/", "title": "abc Exchange TAXII 2.1 Server" }

Get API Root Information

Get API root information

Input Field

Choose a connection that you have previously created.

Output

JSON containing the following items:

{json}{ "description": "TAXII 2.1 service for abc user", "versions": [ "application/taxii+json;version=2.1" ], "has_error": false, "error": null, "title": "abc TAXII 2.1 API Root", "max_content_length": 10000000 }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.0.2 - Added 5 actions : Get Collections, Get A Collection, Get Objects, Server Discovery and Get API Root Information.