Skip to main content

Cyware TAXII 2.x Client

App Vendor: Cyware

App Category: Data Enrichment & Threat Intelligence

Connector Version: 2.0.0

API Version: TAXII 2.0/2.1

About App

The Cyware TAXII 2.x client app allows security teams to integrate with TAXII 2.x servers to discover, collect, poll, and exchange threat intelligence data securely.

The Cyware TAXII 2.x Client app is configured with Cyware Orchestrate to perform the following actions:

Action Name

Description

Collection Data Request 

This action retrieves data about a particular collection on the TAXII server.

Discovery Request 

This action is used to make a discovery request, which provides general information about a TAXII Server, including the advertised API roots.

Get Collections 

This action retrieves all the available collections from the TAXII server.

Get Objects 

This action retrieves objects from a particular collection from the TAXII server.

Get Objects using Pagination 

This action retrieves objects from a TAXII collection using pagination.

Inbox request 

This action is used to make an inbox request, which adds objects to a collection in the TAXII server.

Root Discovery Request 

This action is used to make a root discovery request, which provides general information about the API root.

Generic Action 

This is a generic action to perform any additional use case that you want on Cyware TAXII 2.x Client.

Configuration Parameters

The following configuration parameters are required for the Cyware TAXII 2.x Client app to communicate with the Cyware TAXII 2.x Client enterprise application. The parameters can be configured by creating instances in the app.

Parameter

Description

Field Type

Required/Optional

Comments

TAXII Discovery URL 

Enter the TAXII discovery URL to locate and access the TAXII server’s discovery endpoint. 

Example:

https://baseurl.com/taxii2/discovery/

Text

Required

This provides information about the server and lists the available api root URLs.

TAXII Username 

Enter the username to authenticate with the TAXII server.

Example:

johndoe

Text

Required

TAXII Password 

Enter the password associated with your TAXII username.

Password

Required

TAXII Version 

Specify the TAXII version to use for communication. Choose false for TAXII 2.0 or True for TAXII 2.1.

Boolean

Optional

The default value is true, indicating TAXII 2.1.

TAXII API Root URL 

Enter the TAXII API root URL to connect directly to a specific endpoint.

Example:

https://baseurl.com/taxii2/

Text

Optional

Use this to override the default API root URL returned in the discovery response.

Timeout 

Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with Cyware TAXII 2.x Client.

Integer

Optional

Allowed range:

15-120 seconds

Default value:

15 seconds

Verify 

Choose your preference to verify SSL or TLS while making requests. It is recommended to set this option to yes. Passing no may result in connection errors.

Boolean

Optional

Allowed values are true and false.

By default, verification is enabled.

Action: Collection Data Request

This action retrieves the data about a particular collection on the TAXII server.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Collection ID 

Enter the unique ID of the TAXII collection you want to retrieve data from.

Example:

91a7b528-80eb-42ed-a74d-c6fbd5a26116

Text

Required

You can retrieve the collection ID using the Get Collections action.

Example Request 

[
    {
        "collection_id": "thw2k6rf-w130-zaiv-i606-rsm42fk4dwms"
    }
]

Action: Discovery Request

This action makes a discovery request, which provides general information about a TAXII Server, including the advertised API Roots.

Action Input Parameters 

This action does not require input parameters.

Action: Get Collections

This action retrieves all the available collections from the TAXII server.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Limit

Enter the maximum number of collections to return in each response.

Example:

20

Integer

Optional

Default value:

100

Offset

Enter the index from which to start retrieving results. Use this parameter to fetch the next page of collections.

Integer

Optional

Default value:

0

This parameter is supported only in TAXII 2.0.

Example Request

[
    {
        "limit": "100",
        "offset": "0"
    }
]

Action: Get Objects

This action retrieves objects from a particular collection from the TAXII server.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Poll From Date 

Enter the timestamp (in ISO format) from which to start retrieving newly added objects. Use this to fetch only data added after a specific date and time.

Example:

2025-01-21T00:00:00.000Z

Text

Optional

Limit 

Enter the maximum number of objects to return in each response.

Example:

20

Integer

Optional

Default value:

100

Offset 

Enter the index from which to start retrieving results. Use this parameter to fetch the next page of objects when paginating through large collections.

Integer

Optional

Default value:

0

This parameter is supported only in TAXII 2.0.

Object ID 

Enter a specific object ID to retrieve only that object.

Example:

indicator--0023c8e2-3bb9-4ece-8b49-808edbf7617b

Text

Optional

Next 

Enter the next token if the data has been paginated.

Text

Optional

Available only on TAXII 2.1.

Object Type 

Enter the stix object type to narrow results to a particular type of threat data. You can use any STIX object type.

Example:

indicator

Text

Optional

Collection ID 

Enter the unique ID of the TAXII collection you want to retrieve objects from.

Example:

91a7b528-80eb-42ed-a74d-c6fbd5a26116

Text

Required

You can retrieve the collection using the Get Collections action.

Match Version 

Enter one or more versions of the STIX objects to retrieve.

Example:

2016-01-01t01:01:01.000z

Text

Optional

Allowed values:

last, first, all, or specific version timestamps in ISO format

Match Spec Version 

Enter one or more STIX specification versions of the objects to limit results to those versions.

Text

Optional

Allowed values:

2.0 and 2.1

Example Request 

[
    {
        "collection_id": "ec8792bb-890c-44bd-8639-9d524f56f76a"
    }
]

Action: Get Objects using Pagination

This action retrieves objects from a TAXII collection using pagination.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Collection ID

Enter the unique ID of the TAXII collection you want to retrieve objects from.

Example:

91a7b528-80eb-42ed-a74d-c6fbd5a26116

Text

Required

You can retrieve the collection ID using the Get Collections action.

Limit

Enter the maximum number of objects to return in each response.

Example:

20

Integer

Optional

Default value:

100

Offset

Enter the index from which to start retrieving results. Use this parameter to fetch the next page of objects when paginating through large collections.

Integer

Optional

Default value:

0

This parameter is supported only in TAXII 2.0.

Object ID

Enter a specific object ID to retrieve only that object.

Example:

indicator--0023c8e2-3bb9-4ece-8b49-808edbf7617b

Text

Optional

You can retrieve the object ID using the Get Objects action.

Object Type

Enter the STIX object type to narrow results to a particular type of threat data.

Example:

indicator

Text

Optional

You can use any STIX object type.

Poll From Date

Enter the timestamp (in ISO format) from which to start retrieving newly added objects. Use this to fetch only data added after a specific date and time.

Example:

2025-01-21t00:00:00.000z

Text

Optional

Match Version

Enter one or more versions of the STIX objects to retrieve.

Example:

2016-01-01t01:01:01.000z

Text

Optional

Allowed values:

last, first, all, or specific version timestamps in ISO format.

Match Spec Version

Enter one or more STIX specification versions of the objects to limit results to those versions.

Text

Optional

Allowed values:

2.0 and 2.1

Example Request

[
    {
        "added_after": " 2025-01-21",
        "collection_id": "ec8792bb-890c-44bd-8639-9d524f56f76a"
    }
]

Action: Inbox request

This action makes an inbox request, which adds objects to a collection in the TAXII server.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

STIX Object 

Enter the data into the inbox of the TAXII server. Data should be in STIX envelope (for TAXII 2.1) or STIX bundle (for TAXII 2.0) format.

Example:

taxii 2.1: $JSON[{"objects": [ ... ] }] or taxii 2.0: $JSON[{"type": "bundle", "id": "bundle--...", "spec_version": "2.0", "objects": [ ... ] }].

Any

Required

Collection ID 

Enter the unique ID of the TAXII collection you want to inbox data to.

Example:

91a7b528-80eb-42ed-a74d-c6fbd5a26116

Text

Required

You can retrieve the collection ID using the Get Collections action.

Example Request 

[
  {
    "stix_bundle": {
      "type": "bundle",
      "id": "bundle--a243a8e3-5df2-497e-b8b5-c359f1870076",
      "spec_version": "2.0",
      "objects": [
        {
          "modified": "2025-03-19T15:00:40.855Z",
          "name": "The MITRE Corporation",
          "description": "",
          "identity_class": "organization",
          "type": "identity",
          "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
          "created": "2017-06-01T00:00:00.000Z",
          "object_marking_refs": [
            "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
          ],
          "x_mitre_attack_spec_version": "3.2.0"
        }
      ]
    },
    "collection_id": "ec8792bb-890c-44bd-8639-9d524f56f76a"
  }

Action: Root Discovery Request

This action makes a root discovery request, which provides general information about the API root.

Action Input Parameters 

This action does not require input parameters.

Action: Generic Action

This is a generic action to perform any additional use case that you want on Cyware TAXII 2.x Client.

Action Input Parameters 

Parameter

Description

Field Type

Required/Optional

Comments

Method 

Enter the HTTP method to make the request.

Text

Required

Allowed values:

GET, PUT, POST, DELETE

Endpoint 

Enter the endpoint to make the request to.

Example:

‘collections/{collection_id}/objects/’

Text

Required

Query Params 

Enter the query parameters to pass to the API.

Example:

{'limit':20}

Key Value

Optional

Payload 

Enter the payload to pass to the API.

Example:

$json[{'key':'evaluate'}]

Any

Optional

Extra Fields 

Enter the extra fields to pass to the API.

Key Value

Optional

Allowed keys:

are headers, payload_data, custom_output, download, filename, files, retry_wait, retry_count, and response_type

Changelog

The following table shows the changelog for each app version:

Version

Changes

v2.0.0

  • Introduced Get Objects using Pagination action.

  • Renamed Poll Collections action to Get Objects and added support for Match Version and Match Spec Version parameters.

  • Added TAXII API Root URL and Timeout parameters for instance configuration.

  • Added Extra Fields parameter in Generic Action.

  • Changed field type for STIX object in Inbox Request action from Text to Any.

  • Changed field type for Limit and Offset in Get Collection and Get Objects actions from Text to Integer.